Container breakout attempt using Docker socket

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect container breakouts that are abusing access to a Docker socket exposed inside a container. Actors will have access to the socket to deploy misconfigured containers that can be used to break out to the host. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.

Strategy

Monitor process activity inside containers for executions of curl targeting a local Docker socket, utilizing the create API action to deploy a new container.

Triage and response

  1. Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
  2. If the activity is unexpected, isolate the host to prevent further compromise.
  3. Review related signals and Docker logs to establish a timeline.
  4. Find and repair the root cause.

Requires Agent version 7.28 or later.

PREVIEWING: may/unit-testing