osquery-defense-kit/detection/privesc/sketchy-docker-image-creato...

21 lines
714 B
SQL

-- Detect the execution of a Docker containing mounting the root filesystem
--
-- references:
-- * https://attack.mitre.org/techniques/T1611/
-- * https://github.com/liamg/traitor/blob/main/pkg/exploits/dockersock/exploit.go
--
-- This attack is very quick, so the likelihood of finding a culprit is entirely
-- dependent on the polling time. The number of "tags" you see associated to an image
-- may reflect the number of times the attack has been attempted.
--
-- platform: linux
-- tags: transient often
SELECT
*
FROM
docker_image_history
WHERE
created > (strftime('%s', 'now') -86400)
-- This signature is used by Traitor: https://github.com/liamg/traitor/
AND created_by LIKE '%/bin/sh%/lol%';