2022-10-14 13:16:48 +00:00
|
|
|
-- Detect the execution of a Docker containing mounting the root filesystem
|
|
|
|
|
--
|
|
|
|
|
-- references:
|
|
|
|
|
-- * https://attack.mitre.org/techniques/T1611/
|
|
|
|
|
-- * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
|
|
|
|
|
--
|
|
|
|
|
-- This attack is very quick, so the likelihood of finding a culprit is entirely
|
|
|
|
|
-- dependent on the polling time.
|
|
|
|
|
--
|
|
|
|
|
-- platform: linux
|
2022-10-21 16:05:06 +00:00
|
|
|
-- tags: transient rapid container escalation
|
2022-10-14 13:16:48 +00:00
|
|
|
SELECT
|
2022-10-17 23:06:17 +00:00
|
|
|
command,
|
|
|
|
|
image_id,
|
|
|
|
|
path,
|
2022-10-21 16:05:06 +00:00
|
|
|
source,
|
|
|
|
|
destination,
|
2022-10-17 23:06:17 +00:00
|
|
|
security_options,
|
|
|
|
|
started_at,
|
|
|
|
|
image
|
2022-10-14 13:16:48 +00:00
|
|
|
FROM
|
2022-10-21 16:05:06 +00:00
|
|
|
docker_container_mounts AS dcm
|
|
|
|
|
LEFT JOIN docker_containers dc ON dcm.id = dc.id
|
2022-10-14 13:16:48 +00:00
|
|
|
WHERE
|
2022-10-21 21:39:53 +00:00
|
|
|
dcm.source = "/"
|
