Container breakout attempt using container management socket

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1613-container-and-resource-discovery

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

What happened

The process {{ @process.comm }} was used to access a container management socket from inside a container, potentially to deploy a new container and escape isolation.

Goal

Detect container breakouts that are abusing access to a container management socket, such as docker.sock, exposed inside a container. Actors will have access to the socket to deploy misconfigured containers that can be used to break out to the host. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.

Strategy

Monitor process activity inside containers for executions of curl targeting a local socket associated with container management tools such as Docker. A signal is only generated when the request is utilizing the create API action to deploy a new container.

Triage and response

  1. Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
  2. If the activity is unexpected, isolate the host to prevent further compromise.
  3. Review related signals and management API logs to establish a timeline.
  4. Find and repair the root cause.

Requires Agent version 7.28 or later.

PREVIEWING: brett.blue/PA-link-fixes