This detection rule focuses on identifying potential attempts to discover whether a process is running inside a container by listing inodes from the root directory ('/') in Linux environments. The detection mechanism specifically looks for process creation events where the Image name ends with 'ls' and the CommandLine arguments either contain '-i', '-d', or end with a space followed by a '/' character. This type of command usage can indicate that an entity is attempting to analyze the filesystem structure, a common practice in container environments to ascertain metadata and capabilities. Notably, while some valid administrative uses of these commands exist, the rule accounts for these false positives, particularly in legitimate workflows or specific container tools that utilize such techniques. Usage of this detection rule can aid in the early detection of reconnaissance strategies by threat actors in containerized environments.