title: Container and Resource Discovery (T1613)
id: df00tech-t1613
status: experimental
description: "This detection identifies adversaries performing container and resource discovery within Docker and Kubernetes environments. Attackers who gain initial access to a container or cluster node often enumerate running containers, pods, services, nodes, namespaces, and cluster configuration to understand the environment and plan lateral movement. Common methods include executing Docker CLI commands (docker ps, docker inspect, docker images), Kubernetes CLI commands (kubectl get pods/nodes/namespaces/services), querying the Docker daemon socket or Kubernetes API server programmatically, scanning for kubelets with tools like masscan, and using offensive tools such as Peirates. Detection focuses on process execution of enumeration commands—especially from unexpected parent processes, non-administrative accounts, or container contexts—as well as anomalous API query patterns against the Kubernetes API server."
references:
  - https://attack.mitre.org/techniques/T1613/
  - https://df00tech.com/detections/T1613
author: df00tech
date: 2026/03/20
tags:
  - attack.t1613
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
  - "CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows"
  - "Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data"
  - "Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments"
level: medium