EXPLORE
← Back to Explore
T1613

Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the en...

Containers
41
Detections
2
Sources
1
Threat Actors

BY SOURCE

40elastic1sigma

PROCEDURES (29)

Lateral3 detections

Auto-extracted: 3 detections for lateral

Service3 detections

Auto-extracted: 3 detections for service

Kubernetes3 detections

Auto-extracted: 3 detections for kubernetes

Token3 detections

Auto-extracted: 3 detections for token

Service2 detections

Auto-extracted: 2 detections for service

Unusual2 detections

Auto-extracted: 2 detections for unusual

Container2 detections

Auto-extracted: 2 detections for container

Privilege2 detections

Auto-extracted: 2 detections for privilege

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Remote1 detections

Auto-extracted: 1 detections for remote

Token1 detections

Auto-extracted: 1 detections for token

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Container1 detections

Auto-extracted: 1 detections for container

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Container1 detections

Auto-extracted: 1 detections for container

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (1)

DETECTIONS (41)

Container Management Utility Execution Detected via Defend for Containers
elasticlow
Container Management Utility Run Inside A Container
elasticlow
Direct Interactive Kubernetes API Request by Common Utilities
elasticmedium
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
DNS Enumeration Detected via Defend for Containers
elasticlow
Docker Socket Enumeration
elasticmedium
Environment Variable Enumeration Detected via Defend for Containers
elasticlow
Forbidden Direct Interactive Kubernetes API Request
elasticmedium
GitHub Authentication Token Access via Node.js
elasticmedium
GKE API Request Failure Burst by User
elasticmedium
GKE Secrets List from Unusual Source AS Organization
elastichigh
GKE Suspicious Self-Subject Review via Service Account
elasticlow
Interactive Privilege Boundary Enumeration Detected via Defend for Containers
elasticlow
Kubeconfig File Discovery
elasticlow
Kubectl Permission Discovery
elasticmedium
Kubectl Secrets Enumeration Across All Namespaces
elastichigh
Kubelet API Connection Attempt to Internal IP
elasticmedium
Kubelet Certificate File Access Detected via Defend for Containers
elasticlow
Kubelet Pod Discovery Detected via Defend for Containers
elasticlow
Kubernetes API Server Proxying Request to Kubelet
elasticmedium
Kubernetes Denied Service Account Request via Unusual User Agent
elasticlow
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Forbidden Request from Unusual User Agent
elasticmedium
Kubernetes Multi-Resource Discovery
elasticmedium
Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected
elasticmedium
Kubernetes Potential Endpoint Permission Enumeration Attempt Detected
elasticmedium
Kubernetes Potential Enumeration Activity
sigmamedium
Kubernetes Secrets List Across Cluster or Sensitive Namespaces
elastichigh
Kubernetes Service Account Secret Access
elasticmedium
Kubernetes Suspicious Self-Subject Review via Unusual User Agent
elasticlow
Potential Cluster Enumeration via jq Detected via Defend for Containers
elasticlow
Potential Direct Kubelet Access via Process Arguments
elastichigh
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers
elastichigh
Potential Kubectl Masquerading via Unexpected Process
elasticmedium
Potential Kubeletctl Execution
elasticmedium
Potential Kubeletctl Execution Detected via Defend for Containers
elastichigh
Service Account Namespace Read Detected via Defend for Containers
elasticlow
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Tool Enumeration Detected via Defend for Containers
elasticlow
Unusual Process Connection to Docker or Containerd Socket
elasticmedium