osquery-defense-kit/detection/privesc/docker-container-mounting-r...

26 lines
628 B
MySQL
Raw Normal View History

-- Detect the execution of a Docker containing mounting the root filesystem
--
-- references:
-- * https://attack.mitre.org/techniques/T1611/
-- * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
--
-- This attack is very quick, so the likelihood of finding a culprit is entirely
-- dependent on the polling time.
--
-- platform: linux
-- tags: transient container escalation
SELECT
2022-10-17 23:06:17 +00:00
command,
image_id,
path,
source,
destination,
2022-10-17 23:06:17 +00:00
security_options,
started_at,
image
FROM
docker_container_mounts AS dcm
LEFT JOIN docker_containers dc ON dcm.id = dc.id
WHERE
2022-10-21 21:39:53 +00:00
dcm.source = "/"