Docker Detection Notes

Warning - Experimental / all done in lab environment, please test before using any of this in production

Data Sources

Sumo Logic Docker Driver - https://github.com/SumoLogic/sumologic-docker-logging-driver
Laurel - https://github.com/threathunters-io/laurel
Florian Roth's Auditd Configuration - https://github.com/Neo23x0/auditd
Malcolm for PCAP - https://malcolm.fyi/

References

TTPs

Docker Enumeration

_source="Laurel" 
| where %"syscall.exe" = "/usr/bin/docker"
| where _raw matches /(docker|ps|info)/
| json field=_raw "PROCTITLE.ARGV[*]" as cmd_arg
| values(cmd_arg) as cmd_args by %"syscall.exe",%"syscall.ppid.comm"

Suspicious Container Start

_source="Laurel" 
| where _raw matches /(chroot|mount)/
| where %"syscall.exe" = "/usr/bin/dockerd" OR %"syscall.exe"= "/usr/bin/docker"
| json field=_raw "PROCTITLE.ARGV[*]" as cmd_arg
| values(cmd_arg) as cmd_args by %"syscall.exe",%"syscall.ppid.comm"

Docker Filesystem Enumeration within Container

Note this utilizes the Docker driver

_source="Docker" and _collector="Docker"
| if(_raw matches /mount|fdisk/,1,0) as file_system_container_commands
| where file_system_container_commands = 1

Privileged Container Started

_source="Laurel" 
| where _raw matches /(privileged)/
| where %"syscall.exe" = "/usr/bin/dockerd" OR %"syscall.exe"= "/usr/bin/docker"
| json field=_raw "PROCTITLE.ARGV[*]" as cmd_arg
| values(cmd_arg) as cmd_args by %"syscall.exe",%"syscall.ppid.comm"

Container Started with SYS_ADMIN privs

_source="Laurel" 
| where _raw matches /(SYS_ADMIN)/
| where %"syscall.exe" = "/usr/bin/dockerd" OR %"syscall.exe"= "/usr/bin/docker"
| json field=_raw "PROCTITLE.ARGV[*]" as cmd_arg
| values(cmd_arg) as cmd_args by %"syscall.exe",%"syscall.ppid.comm"

Overly Permissive Mount

_source="Laurel" 
| where _raw matches /(\-v\"\,"\/\:\/mnt)/
| where %"syscall.exe" = "/usr/bin/dockerd" OR %"syscall.exe"= "/usr/bin/docker"
| where %"syscall.ppid.comm" = "bash"
| json field=_raw "PROCTITLE.ARGV[*]" as cmd_arg
| values(cmd_arg) as cmd_args by %"syscall.exe",%"syscall.ppid.comm"

_source="Docker" and _collector="Docker"
| where _raw matches /(cat.\/mnt\/etc\/)/

Docker Daemon - Unprotected TCP Socket Exploit

_source="Laurel" 
| where %"syscall.key" = "network_socket_created"
| where %"syscall.exe" matches /(\/tmp\/\w\w\w\w\w\w\w\w)/
| values(%"proctitle.argv") as args by %"syscall.exe"

_source="Laurel" 
| json field=_raw "PROCTITLE.ARGV[*]" as cmd_arg
| %"path[0].name" as path_name
| where %"syscall.ppid.exe" = "/usr/bin/containerd-shim-runc-v2"
| where path_name matches /(cron\.d)/
| values (path_name) by cmd_arg

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
20230826094119.png		20230826094119.png
20230826094147.png		20230826094147.png
20230826095126.png		20230826095126.png
20230826095147.png		20230826095147.png
20230826095731.png		20230826095731.png
20230826095750.png		20230826095750.png
20230826100205.png		20230826100205.png
20230826100223.png		20230826100223.png
20230826100548.png		20230826100548.png
20230826100614.png		20230826100614.png
20230826101130.png		20230826101130.png
20230826102226.png		20230826102226.png
20230826102830.png		20230826102830.png
20230826103136.png		20230826103136.png
20230826103851.png		20230826103851.png
20230826104442.png		20230826104442.png
20230826104830.png		20230826104830.png
20230826104950.png		20230826104950.png
20230826105335.png		20230826105335.png
README.md		README.md
index.md		index.md

Antonlovesdnb/DockerDetectionNotes

Folders and files

Latest commit

History

Repository files navigation

Docker Detection Notes

Warning - Experimental / all done in lab environment, please test before using any of this in production

Data Sources

References

TTPs

Docker Enumeration

Suspicious Container Start

Docker Filesystem Enumeration within Container

Privileged Container Started

Container Started with SYS_ADMIN privs

Overly Permissive Mount

Docker Daemon - Unprotected TCP Socket Exploit

About

Resources

Stars

Watchers

Forks