Goal

Detect container breakouts that are abusing access to a Docker socket exposed inside a container. Actors will have access to the socket to deploy misconfigured containers that can be used to break out to the host. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.

Strategy

Monitor process activity inside containers for executions of curl targeting a local Docker socket, utilizing the create API action to deploy a new container.

Triage and response

1. Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
2. If the activity is unexpected, isolate the host to prevent further compromise.
3. Review related signals and Docker logs to establish a timeline.
4. Find and repair the root cause.

Requires Agent version 7.28 or later.