Container Residence Discovery Via Proc Virtual FS

Rule Info

Name
Container Residence Discovery Via Proc Virtual FS
Author
Seth Hanford
Description
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Reference
https://blog.skyplabs.net/posts/container-detection/
Date
2023-08-23 00:00:00
Modified
None
Id
746c86fb-ccda-4816-8997-01386263acc4
Tags
attack.discovery attack.t1082 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=746c86fb-ccda-4816-8997-01386263acc4

Rule History

Author
Title
Date
Commit
SethHanford
Merge PR #4380 from @SethHanford - Lnx container discovery
2023-08-24
df4fa62bc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022