Container Monitoring

​

Monitoring Events

• BPF Program Not Profiled
• Directory traversal monitored file read
• Read sensitive file trusted after startup
• Read sensitive file untrusted
• Run shell untrusted
• System user interactive
• Terminal shell in container
• Contact K8S API Server From Container
• Netcat Remote Code Execution in Container
• Search Private Keys or Passwords
• Clear Log Activities
• Remove Bulk Data from Disk
• Create Symlink Over Sensitive Files
• Create Hardlink Over Sensitive Files
• Packet socket created in container
• Redirect STDOUT or STDIN to Network Connection in Container
• Linux Kernel Module Injection Detected
• Debugfs Launched in Privileged Container
• Detect release_agent File Container Escapes
• PTRACE attached to process
• PTRACE anti-debug attempt
• Find AWS Credentials
• Execution from shm directory in dev directory
• Drop and execute new binary in container
• Disallowed SSH Connection Non Standard Port
• Unexpected inbound connection source
• Read Shell Configuration File
• Update Package Repository
• Write below binary dir
• Write below monitored dir
• Write below etc
• Write below root
• Write below rpm database
• Modify binary dirs
• Mkdir binary dirs
• Launch Sensitive Mount Container
• Launch Disallowed Container
• Interpreted procs inbound network activity
• Unexpected K8s NodePort Connection
• Create Hidden Files or Directories
• Detect outbound connections to common miner pool ports
• Detect crypto miners using the Stratum protocol
• The docker client is executed in a container
• Container Drift Detected (chmod)
• Container Drift Detected (open+create)
• Container Run as Root User
• Sudo Potential Privilege Escalation
• Unprivileged Delegation of Page Faults Handling to a Userspace Process
• Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
• Java Process Class File Download
• Modify Container Entrypoint
• Decoding Payload in Container
• Modify Shell Configuration File
• Schedule Cron Jobs
• Read ssh information
• DB program spawned process
• Change thread namespace
• Launch Privileged Container
• Launch Excessively Capable Container
• System procs network activity
• Program run with disallowed http proxy env
• Unexpected UDP Traffic
• Non sudo setuid
• User mgmt binaries
• Create files below dev
• Contact EC2 Instance Metadata Service From Container
• Contact cloud metadata service from container
• Launch Package Management Process in Container
• Launch Suspicious Network Tool in Container
• Launch Suspicious Network Tool on Host
• Delete or rename shell history
• Set Setuid or Setgid bit
• Launch Remote File Copy Tools in Container
• Network Connection outside Local Subnet
• Mount Launched in Privileged Container
• Launch Ingress Remote File Copy Tools in Container
• Read environment variable from proc files
• Exfiltrating Artifacts via Kubernetes Control Plane
• Fileless execution via memfd_create
• Adding ssh keys to authorized_keys
• Backdoored library loaded into SSHD (CVE-2024-3094)
• Basic Interactive Reconnaissance
• Change namespace privileges via unshare
• Disallowed SSH Connection
• Execution from dev shm
• Kubernetes Client Tool Launched in Container
• Outbound Connection to C2 Servers
• Outbound or Inbound Traffic not to Authorized Server Process and Port
• Potential Local Privilege Escalation via Environment Variables Misuse
• Redirect STDOUT STDIN to Network Connection in Container
• Unexpected outbound connection destination