++

Author: Aegrah

rules/linux/execution_container_management_binary_launched_inside_container.toml

@@ -67,7 +67,7 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.entry_leader.entry_meta.type == "container" and process.interactive == true and
 process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
-not process.parent.executable == "/sbin/init"
+not process.parent.executable in ("/sbin/init", "/usr/bin/dockerd")
 '''
 note = """## Triage and analysis