-- Detect the execution of a Docker containing mounting the root filesystem
--
-- references:
--   * https://attack.mitre.org/techniques/T1611/
--   * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
--
-- This attack is very quick, so the likelihood of finding a culprit is entirely
-- dependent on the polling time. The number of "tags" you see associated to an image
-- may reflect the number of times the attack has been attempted.
--
-- platform: linux
-- tags: transient
SELECT
  *
FROM
  docker_image_history
WHERE
  created > (strftime('%s', 'now') -86400)
  -- This signature is used by Traitor: https://github.com/liamg/traitor/
  AND created_by LIKE '%/bin/sh%/lol%';