create container

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: create container
    namespace: host-interaction/container/docker
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Execution::Deploy Container [T1610]
    references:
      - https://docs.docker.com/engine/api/v1.24/
  features:
    - or:
      - string: /^docker(\.exe)? create/
      - string: /^docker(\.exe)? start/
      - and:
        - match: send HTTP request
        - string: /\/v1\.[0-9]{1,2}\/containers\/create/
          description: docker API endpoint, e.g., /v1.24/containers/create
      - and:
        - match: send HTTP request
        - string: /\/v1\.[0-9]{1,2}\/containers\/[0-9a-fA-F]+\/start/
          description: docker API endpoint, e.g., /v1.24/containers/e90e34656806/start
last edited: 2023-11-24 10:35:00