Detectionlowtest
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_ls_img:
Image|endswith: '/ls' # inode outside containers low, inside high
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_regex_inode:
CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
selection_regex_dir:
CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
condition: all of selection_*False Positives
Legitimate system administrator usage of these commands
Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
43e26eb5-cd58-48d1-8ce9-a273f5d298d8
Status
test
Level
low
Type
Detection
Created
Wed Aug 23
Modified
Mon Nov 24
Author
Path
rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml
Raw Tags
attack.discoveryattack.t1082