atomic-red-team/atomics/T1613/T1613.md

# T1613 - Container and Resource Discovery

## Description from ATT&CK

> Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
> 
> These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

[Source](https://attack.mitre.org/techniques/T1613)

## Atomic Tests

- [Atomic Test #1: Docker Container and Resource Discovery](#atomic-test-1-docker-container-and-resource-discovery)
- [Atomic Test #2: Podman Container and Resource Discovery](#atomic-test-2-podman-container-and-resource-discovery)

### Atomic Test #1: Docker Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment.

**Supported Platforms:** Containers

**auto_generated_guid:** `ea2255df-d781-493b-9693-ac328f9afc3f`

#### Attack Commands: Run with `sh`!

```sh
docker build -t t1613 $PathtoAtomicsFolder/T1613/src/
docker run --name t1613_container --rm -d -t t1613
docker ps
docker stats --no-stream
docker inspect $(docker ps -l -q --filter ancestor=t1613)
```

#### Cleanup Commands

```sh
docker stop t1613_container
docker rmi -f t1613
```

#### Dependencies: Run with `sh`!

##### Description: Verify Docker is installed.

###### Check Prereq Commands

```sh
which docker
```

###### Get Prereq Commands

```sh
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
```

##### Description: Verify Docker service is running.

###### Check Prereq Commands

```sh
sudo systemctl status docker --no-pager
```

###### Get Prereq Commands

```sh
sudo systemctl start docker
```

### Atomic Test #2: Podman Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment.

**Supported Platforms:** Containers

**auto_generated_guid:** `fc631702-3f03-4f2b-8d8a-6b3d055580a1`

#### Attack Commands: Run with `sh`!

```sh
podman build -t t1613 $PathtoAtomicsFolder/T1613/src/
podman run --name t1613_container --rm -d -t t1613
podman ps
podman stats --no-stream
podman inspect $(podman ps -l -q --filter ancestor=t1613)
```

#### Cleanup Commands

```sh
podman stop t1613_container
podman rmi -f t1613
```

#### Dependencies: Run with `sh`!

##### Description: Verify Podman is installed.

###### Check Prereq Commands

```sh
which podman
```

###### Get Prereq Commands

```sh
if [ "" == "`which podman`" ]; then echo "Podman Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install podman ; elif [ -n "`which yum`" ]; then sudo yum -y install podman ; elif [ -n "`which pacman`" ]; then sudo pacman -Sy podman --noconfirm ; elif [ -n "`which brew`" ]; then brew install podman ; else echo "Unsupported package manager"; fi ; else echo "Podman installed"; fi
```

##### Description: Verify Podman service is running.

###### Check Prereq Commands

```sh
sudo systemctl status podman --no-pager
```

###### Get Prereq Commands

```sh
sudo systemctl start podman
```