Container breakout attempt using container management socket
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
The process {{ @process.comm }} was used to access a container management socket from inside a container, potentially to deploy a new container and escape isolation.
Goal
Detect container breakouts that are abusing access to a container management socket, such as docker.sock, exposed inside a container. Actors will have access to the socket to deploy misconfigured containers that can be used to break out to the host. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.
Strategy
Monitor process activity inside containers for executions of curl targeting a local socket associated with container management tools such as Docker. A signal is only generated when the request is utilizing the create API action to deploy a new container.
Triage and response
- Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
- If the activity is unexpected, isolate the host to prevent further compromise.
- Review related signals and management API logs to establish a timeline.
- Find and repair the root cause.
Requires Agent version 7.28 or later.
