Detect Container and Resource Discovery in Splunk
This detection identifies adversaries performing container and resource discovery within Docker and Kubernetes environments. Attackers who gain initial access to a container or cluster node often enumerate running containers, pods, services, nodes, namespaces, and cluster configuration to understand the environment and plan lateral movement. Common methods include executing Docker CLI commands (docker ps, docker inspect, docker images), Kubernetes CLI commands (kubectl get pods/nodes/namespaces/services), querying the Docker daemon socket or Kubernetes API server programmatically, scanning for kubelets with tools like masscan, and using offensive tools such as Peirates. Detection focuses on process execution of enumeration commands—especially from unexpected parent processes, non-administrative accounts, or container contexts—as well as anomalous API query patterns against the Kubernetes API server.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1613 Container and Resource Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1613/
SPL Detection Query
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval is_container_discovery=0
| eval cmd=coalesce(CommandLine, command, cmd_line, "")
| eval process=coalesce(Image, process_name, comm, "")
| eval parent_process=coalesce(ParentImage, parent_process_name, "")
```Docker enumeration```
| eval is_container_discovery=if(
(match(process, "(?i)docker$") AND match(cmd, "(?i)(\\bps\\b|inspect|images|info|stats|network ls|volume ls|container ls)")),
1, is_container_discovery)
```kubectl enumeration```
| eval is_container_discovery=if(
(match(process, "(?i)kubectl$") AND match(cmd, "(?i)(get (pods|nodes|namespaces|services|deployments|secrets|configmaps|all|sa)|cluster-info|describe)")),
1, is_container_discovery)
```crictl/ctr enumeration```
| eval is_container_discovery=if(
(match(process, "(?i)(crictl|ctr)$") AND match(cmd, "(?i)(ps|pods|images|info|containers list|tasks list)")),
1, is_container_discovery)
```Peirates offensive tool```
| eval is_container_discovery=if(match(process, "(?i)peirates"), 1, is_container_discovery)
```curl/wget against Docker socket or Kubernetes API```
| eval is_container_discovery=if(
(match(process, "(?i)(curl|wget)$") AND match(cmd, "(?i)(\/var\/run\/docker\.sock|:8080\/api|:6443\/api|:10250|\/api\/v1\/(pods|nodes|namespaces))")),
1, is_container_discovery)
| where is_container_discovery=1
| eval risk_score=case(
match(cmd, "(?i)get secrets"), 90,
match(cmd, "(?i)\/var\/run\/docker\.sock"), 85,
match(cmd, "(?i):10250"), 80,
match(parent_process, "(?i)(bash|sh|dash|zsh|python3?|perl|ruby|nc|ncat|socat)"), 80,
match(process, "(?i)peirates"), 95,
1==1, 40
)
| eval severity=case(risk_score >= 85, "critical", risk_score >= 70, "high", risk_score >= 50, "medium", 1==1, "low")
| stats count as execution_count, values(cmd) as commands, values(parent_process) as parent_processes, max(risk_score) as max_risk_score, min(_time) as first_seen, max(_time) as last_seen by host, user, process, severity
| where execution_count >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - max_risk_score
| table host, user, process, commands, parent_processes, execution_count, max_risk_score, severity, first_seen, last_seenDetects container and resource discovery activity by monitoring process execution events for Docker CLI, kubectl, crictl, ctr, Peirates, and curl/wget queries against container runtime APIs. Aggregates by host/user/process to identify enumeration bursts and assigns risk scores based on sensitive resource types (secrets), direct socket/API access, and suspicious parent process chains.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Platform engineering teams performing routine cluster health checks via kubectl get nodes/pods as part of on-call runbooks
- Monitoring and observability platforms (Prometheus, Datadog, New Relic) continuously querying Kubernetes API and kubelet endpoints for metrics and service discovery
- Container orchestration automation scripts in CI/CD systems that enumerate running containers to determine deployment state before rolling updates
- Security baseline tools (kube-bench, kube-hunter in assessment mode) that enumerate cluster resources as part of authorized security posture reviews
Other platforms for T1613
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Enumeration via CLI
Expected signal: Linux auditd execve syscall events or Sysmon EventCode=1 (ProcessCreate) showing docker binary executions with arguments: ps, images, network ls, volume ls, info, inspect. Parent process will be the invoking shell.
- Test 2Kubernetes Cluster Enumeration via kubectl
Expected signal: Process creation events showing kubectl binary with arguments: get nodes, get pods, get namespaces, get services, get deployments, get serviceaccounts, cluster-info, get clusterrolebindings, auth can-i. Multiple events in rapid succession.
- Test 3Kubernetes Secrets Enumeration via kubectl and Direct API
Expected signal: Process creation events for kubectl with 'get secrets' argument (risk score 90 in detection). If curl is used: process creation for curl with Kubernetes API URL pattern and bearer token in command line. In-container token file access may also appear in auditd open/read syscall logs.
References (7)
- https://attack.mitre.org/techniques/T1613/
- https://docs.docker.com/engine/api/v1.41/
- https://kubernetes.io/docs/reference/kubernetes-api/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.trendmicro.com/en_us/research/21/d/teamtnt-with-new-aggressive-campaign-against-the-linux-platform.html
- https://github.com/inguardians/peirates
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
Unlock Pro Content
Get the full detection package for T1613 including response playbook, investigation guide, and atomic red team tests.