2022-10-14 13:16:48 +00:00
|
|
|
-- Detect the execution of a Docker containing mounting the root filesystem
|
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- * https://attack.mitre.org/techniques/T1611/
|
|
|
|
-- * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
|
|
|
|
--
|
|
|
|
-- This attack is very quick, so the likelihood of finding a culprit is entirely
|
|
|
|
-- dependent on the polling time. The number of "tags" you see associated to an image
|
|
|
|
-- may reflect the number of times the attack has been attempted.
|
|
|
|
--
|
|
|
|
-- platform: linux
|
2022-10-14 18:19:13 +00:00
|
|
|
-- tags: transient often
|
2022-10-17 23:06:17 +00:00
|
|
|
SELECT
|
|
|
|
*
|
|
|
|
FROM
|
|
|
|
docker_image_history
|
|
|
|
WHERE
|
|
|
|
created > (strftime('%s', 'now') -86400)
|
|
|
|
-- This signature is used by Traitor: https://github.com/liamg/traitor/
|
|
|
|
AND created_by LIKE '%/bin/sh%/lol%';
|