Container breakout attempt using Docker socket

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1613-container-and-resource-discovery

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect container breakouts that are abusing access to a Docker socket exposed inside a container. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.

Strategy

Monitor process activity inside containers for executions of curl targeting a local Docker socket.

Triage and response

  1. Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
  2. If the activity is unexpected, isolate the host to prevent further compromise.
  3. Review related signals and Docker logs to establish a timeline.
  4. Find and repair the root cause.

Requires Agent version 7.28 or later.