Container Enumeration (91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8)
"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:
- Docker Example:
docker ps,docker ps -a - Kubernetes Example:
kubectl get pods,kubectl get deployments - Cloud Container Services Example
- AWS ECS: API Call: ListTasks or ListContainers
- Azure Kubernetes Service: API Call: List pod or container instances.
- Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.
This data component can be collected through the following measures:
- Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands.
- Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services.
- Cloud Provider Logs
- AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks.
- Azure Monitor: Enable activity logging to track container-related queries.
- GCP Cloud Logging: Track API events involving container enumerations or deployments.
- SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Container Enumeration (91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8) | mitre-data-component | Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336) | Attack Pattern | 1 |