Merge PR #4380 from @SethHanford - Lnx container discovery

new: Container Residence Discovery Via Proc Virtual FS
new: Docker Container Discovery Via Dockerenv Listing
new: Potential Container Discovery Via Inodes Listing

---------

Co-authored-by: Seth Hanford <shanford@seth-mba.local>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml

@@ -0,0 +1,38 @@
+title: Container Residence Discovery Via Proc Virtual FS
+id: 746c86fb-ccda-4816-8997-01386263acc4
+status: experimental
+description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
+references:
+    - https://blog.skyplabs.net/posts/container-detection/
+    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
+tags:
+    - attack.discovery
+    - attack.t1082
+author: Seth Hanford
+date: 2023/08/23
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_tools:
+        Image|endswith:
+            - 'awk'
+            - '/cat'
+            - 'grep'
+            - '/head'
+            - '/less'
+            - '/more'
+            - '/nl'
+            - '/tail'
+    selection_procfs_kthreadd:  # ouside containers, PID 2 == kthreadd
+        CommandLine|contains: '/proc/2/'
+    selection_procfs_target:
+        CommandLine|contains: '/proc/'
+        CommandLine|endswith:
+            - '/cgroup'  # cgroups end in ':/' outside containers
+            - '/sched'   # PID mismatch when run in containers
+    condition: selection_tools and 1 of selection_procfs_*
+falsepositives:
+    - Legitimate system administrator usage of these commands
+    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
+level: low

rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml

@@ -0,0 +1,32 @@
+title: Docker Container Discovery Via Dockerenv Listing
+id: 11701de9-d5a5-44aa-8238-84252f131895
+status: experimental
+description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
+references:
+    - https://blog.skyplabs.net/posts/container-detection/
+    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
+tags:
+    - attack.discovery
+    - attack.t1082
+author: Seth Hanford
+date: 2023/08/23
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith:
+            # Note: add additional tools and utilities to increase coverage
+            - '/cat'
+            - '/dir'
+            - '/find'
+            - '/ls'
+            - '/stat'
+            - '/test'
+            - 'grep'
+        CommandLine|endswith: '.dockerenv'
+    condition: selection
+falsepositives:
+    - Legitimate system administrator usage of these commands
+    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
+level: low

rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml

@@ -0,0 +1,28 @@
+title: Potential Container Discovery Via Inodes Listing
+id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
+status: experimental
+description: Detects listing of the inodes of the "/" directory to determin if the we are running inside of a container.
+references:
+    - https://blog.skyplabs.net/posts/container-detection/
+    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
+tags:
+    - attack.discovery
+    - attack.t1082
+author: Seth Hanford
+date: 2023/08/23
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        # inode outside containers low, inside high
+        Image|endswith: '/ls'
+        CommandLine|contains|all:
+            - ' -*i'              # -i finds inode number
+            - ' -*d'              # -d gets directory itself, not contents
+        CommandLine|endswith: ' /'
+    condition: selection
+falsepositives:
+    - Legitimate system administrator usage of these commands
+    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
+level: low