T1613 Microsoft Sentinel · KQL

Detect Container and Resource Discovery in Microsoft Sentinel

This detection identifies adversaries performing container and resource discovery within Docker and Kubernetes environments. Attackers who gain initial access to a container or cluster node often enumerate running containers, pods, services, nodes, namespaces, and cluster configuration to understand the environment and plan lateral movement. Common methods include executing Docker CLI commands (docker ps, docker inspect, docker images), Kubernetes CLI commands (kubectl get pods/nodes/namespaces/services), querying the Docker daemon socket or Kubernetes API server programmatically, scanning for kubelets with tools like masscan, and using offensive tools such as Peirates. Detection focuses on process execution of enumeration commands—especially from unexpected parent processes, non-administrative accounts, or container contexts—as well as anomalous API query patterns against the Kubernetes API server.

MITRE ATT&CK

Tactic
Discovery
Technique
T1613 Container and Resource Discovery
Canonical reference
https://attack.mitre.org/techniques/T1613/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ContainerDiscoveryCommands = dynamic(["docker ps", "docker inspect", "docker images", "docker info", "docker stats", "docker network ls", "docker volume ls", "docker container ls"]);
let KubeDiscoveryPatterns = dynamic(["get pods", "get nodes", "get namespaces", "get services", "get deployments", "get secrets", "get configmaps", "describe pod", "describe node", "cluster-info", "get all", "get sa", "get serviceaccount"]);
let CrictlCommands = dynamic(["crictl ps", "crictl pods", "crictl images", "crictl info"]);
let SuspiciousParents = dynamic(["bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby", "nc", "ncat", "socat"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    // Docker enumeration commands
    (ProcessCommandLine has "docker" and (
        ProcessCommandLine has "ps" or
        ProcessCommandLine has "inspect" or
        ProcessCommandLine has "images" or
        ProcessCommandLine has "info" or
        ProcessCommandLine has "stats" or
        ProcessCommandLine has "network ls" or
        ProcessCommandLine has "volume ls" or
        ProcessCommandLine has "container ls"
    ))
    or
    // kubectl enumeration
    (FileName =~ "kubectl" and (
        ProcessCommandLine has "get pods" or
        ProcessCommandLine has "get nodes" or
        ProcessCommandLine has "get namespaces" or
        ProcessCommandLine has "get services" or
        ProcessCommandLine has "get deployments" or
        ProcessCommandLine has "get secrets" or
        ProcessCommandLine has "get configmaps" or
        ProcessCommandLine has "get all" or
        ProcessCommandLine has "cluster-info" or
        ProcessCommandLine has "describe" or
        ProcessCommandLine has "get sa" or
        ProcessCommandLine has "get serviceaccount"
    ))
    or
    // crictl (containerd CLI) enumeration
    (FileName =~ "crictl" and (
        ProcessCommandLine has "ps" or
        ProcessCommandLine has "pods" or
        ProcessCommandLine has "images" or
        ProcessCommandLine has "info"
    ))
    or
    // ctr (containerd) enumeration
    (FileName =~ "ctr" and (
        ProcessCommandLine has "containers list" or
        ProcessCommandLine has "images list" or
        ProcessCommandLine has "tasks list"
    ))
    or
    // Peirates and similar offensive tools
    (FileName =~ "peirates")
    or
    // curl/wget against Docker socket or Kubernetes API
    ((FileName in~ ("curl", "wget")) and (
        ProcessCommandLine has "/var/run/docker.sock" or
        ProcessCommandLine has ":8080/api" or
        ProcessCommandLine has ":6443/api" or
        ProcessCommandLine has ":10250" or
        ProcessCommandLine has "/api/v1/pods" or
        ProcessCommandLine has "/api/v1/nodes" or
        ProcessCommandLine has "/api/v1/namespaces"
    ))
)
| extend RiskScore = case(
    InitiatingProcessFileName in~ (SuspiciousParents), 80,
    AccountName !in~ ("root", "system") and FileName =~ "kubectl", 60,
    ProcessCommandLine has "get secrets", 90,
    ProcessCommandLine has "/var/run/docker.sock", 85,
    ProcessCommandLine has ":10250", 80,
    40
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskScore
| where RiskScore >= 40
| order by RiskScore desc, TimeGenerated desc
medium severity medium confidence

Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover containers, pods, nodes, namespaces, services, secrets, and cluster configuration. Also detects curl/wget queries against the Docker Unix socket or Kubernetes API endpoints (including the kubelet API on port 10250). Assigns risk scores based on parent process suspiciousness, sensitive resource types (secrets), and direct socket/API access.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
  • CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
  • Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
  • Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments
Download portable Sigma rule (.yml)

Other platforms for T1613

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Enumeration via CLI

    Expected signal: Linux auditd execve syscall events or Sysmon EventCode=1 (ProcessCreate) showing docker binary executions with arguments: ps, images, network ls, volume ls, info, inspect. Parent process will be the invoking shell.

  2. Test 2Kubernetes Cluster Enumeration via kubectl

    Expected signal: Process creation events showing kubectl binary with arguments: get nodes, get pods, get namespaces, get services, get deployments, get serviceaccounts, cluster-info, get clusterrolebindings, auth can-i. Multiple events in rapid succession.

  3. Test 3Kubernetes Secrets Enumeration via kubectl and Direct API

    Expected signal: Process creation events for kubectl with 'get secrets' argument (risk score 90 in detection). If curl is used: process creation for curl with Kubernetes API URL pattern and bearer token in command line. In-container token file access may also appear in auditd open/read syscall logs.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1613 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1611Escape to HostT1552.007Container APIT1087.001Local AccountT1087.002Domain AccountT1069.003Cloud GroupsT1033System Owner/User DiscoveryT1046Network Service DiscoveryT1615Group Policy DiscoveryT1021.007Cloud Services

Same Tactic: Discovery

Popular Detections