A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another[1]
Initial construction of a new container (ex: docker create
Initial construction of a new container (ex: docker create
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1610 | Deploy Container |
Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses. |
|
| Enterprise | T1611 | Escape to Host |
Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root. |
|
| Enterprise | T1053 | Scheduled Task/Job |
Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |
|
| .007 | Container Orchestration Job |
Monitor for newly constructed containers |
||
| Enterprise | T1204 | User Execution |
Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
| .003 | Malicious Image |
Track the deployment of new containers, especially from newly built images. |
||
An extracted list of containers (ex: docker ps)
An extracted list of containers (ex: docker ps)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1613 | Container and Resource Discovery |
Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. |
|
Contextual data about a container and activity around it such as name, ID, image, or status
Contextual data about a container and activity around it such as name, ID, image, or status
Activation or invocation of a container (ex: docker start or docker restart)
Activation or invocation of a container (ex: docker start or docker restart)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1610 | Deploy Container |
Monitor for activation or invocation of a container that may deploy a container into an environment to facilitate execution or evade defenses. |
|
| Enterprise | T1204 | User Execution |
Monitor for the activation or invocation of a container (ex: docker start or docker restart) |
|
| .003 | Malicious Image |
Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images. |
||