Unusual Process Connection to Docker or Containerd Socket

About

Tags

Data Source: Auditd ManagerDomain: EndpointDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: DiscoveryTactic: Privilege EscalationTactic: Lateral MovementLanguage: kuery

Severity

medium

Risk Score

47

MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Escape to Host (T1611)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples

Custom container tooling, CI agents, or monitoring may connect to docker.sock or containerd.sock from non-standard paths after relocation or bind mounts. Tune by process.executable or user.name when noise is high.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*logs-auditd_manager.auditd-*

Related Integrations

auditd_manager(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗host.os.type:"linux" and 
event.category:"network" and
event.action:"connected-to" and network.direction:"egress" and 
destination.address:("/run/containerd/containerd.sock" or "/var/run/containerd/containerd.sock" or "/var/run/docker.sock" or "/run/docker.sock") and
process.executable:(* and not 
  ("/usr/bin/kubelet" or
  "/usr/local/bin/kubelet" or
  "/usr/bin/containerd" or
  "/usr/sbin/containerd" or
  "/usr/bin/containerd-shim" or
  "/usr/bin/containerd-shim-runc-v2" or
  "/usr/local/bin/containerd-shim-runc-v2" or
  "/usr/bin/dockerd" or
  "/usr/sbin/dockerd" or  
   /var/lib/*/usr/bin/dockerd or 
  "/usr/bin/docker-proxy")
)