This detection rule identifies potential container discovery activities through the examination of specific kernel features exposed in the Linux "/proc" virtual filesystem. Attackers may utilize tools such as awk, cat, or grep to gather information about processes and containers running on the host. The rule triggers when commands containing references to the "/proc" filesystem, particularly targeting the cgroup and sched files, are executed. Given that such commands can also be legitimately employed by system administrators, the false positive rate includes normal administrative actions and benign container management tools. The detection focuses on the command line arguments passed to process executions, particularly looking for patterns indicative of container presence.