Container breakout attempt using Docker socket

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1613-container-and-resource-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect container breakouts that are abusing access to a Docker socket exposed inside a container. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.

Strategy

Monitor process activity inside containers for executions of curl targeting a local Docker socket.

Triage and response

  1. Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
  2. If the activity is unexpected, isolate the host to prevent further compromise.
  3. Review related signals and Docker logs to establish a timeline.
  4. Find and repair the root cause.

Requires Agent version 7.28 or later.