Container breakout attempt using Docker socket
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect container breakouts that are abusing access to a Docker socket exposed inside a container. Actors will have access to the socket to deploy misconfigured containers that can be used to break out to the host. Container breakouts remove some or all isolation from a container, enabling an attacker to access the underlying host.
Strategy
Monitor process activity inside containers for executions of curl
targeting a local Docker socket, utilizing the create API action to deploy a new container.
Triage and response
- Inspect the process arguments to understand the purpose of the command. Adversaries may abuse this access to run privileged containers.
- If the activity is unexpected, isolate the host to prevent further compromise.
- Review related signals and Docker logs to establish a timeline.
- Find and repair the root cause.
Requires Agent version 7.28 or later.