|
| 1 | +# Persistence via Docker Container |
| 2 | + |
| 3 | +--- |
| 4 | + |
| 5 | +## Metadata |
| 6 | + |
| 7 | +- **Author:** Elastic |
| 8 | +- **Description:** This hunt identifies potential persistence mechanisms through malicious Docker containers on Linux systems. Attackers can abuse Docker's capabilities, such as privileged containers, host namespace sharing, or mounting sensitive host paths, to maintain persistence or gain unauthorized access to the host. This hunt focuses on detecting suspicious container creations, modifications, and network connections. |
| 9 | + |
| 10 | +- **UUID:** `b9b4f11f-1db9-491a-ab43-0e69e3f6d5be` |
| 11 | +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) |
| 12 | +- **Language:** `[ES|QL, SQL]` |
| 13 | +- **Source File:** [Persistence via Docker Container](../queries/persistence_via_malicious_docker_container.toml) |
| 14 | + |
| 15 | +## Query |
| 16 | + |
| 17 | +```sql |
| 18 | +from logs-endpoint.events.network-* |
| 19 | +| keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id, process.executable, process.command_line |
| 20 | +| where @timestamp > now() - 7 days |
| 21 | +| where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and |
| 22 | +process.executable like "/var/lib/docker/*" and destination.ip IS NOT null and not |
| 23 | +CIDR_MATCH( |
| 24 | + destination.ip, |
| 25 | + // Exclude common destination IP ranges for your environment here |
| 26 | + "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1", "172.18.0.0/16" |
| 27 | +) |
| 28 | +| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line, destination.ip |
| 29 | +| where agent_count <= 3 |
| 30 | +| sort cc asc |
| 31 | +| limit 100 |
| 32 | +``` |
| 33 | + |
| 34 | +```sql |
| 35 | +SELECT * FROM docker_containers |
| 36 | +``` |
| 37 | + |
| 38 | +```sql |
| 39 | +SELECT * FROM docker_containers |
| 40 | +WHERE privileged = 1 |
| 41 | +``` |
| 42 | + |
| 43 | +```sql |
| 44 | +SELECT * FROM docker_containers |
| 45 | +WHERE created <= strftime('%s', 'now') |
| 46 | +AND strftime('%s', 'now') - created <= (7 * 86400); -- Created in the last 7 days |
| 47 | +``` |
| 48 | + |
| 49 | +```sql |
| 50 | +SELECT * FROM docker_images |
| 51 | +``` |
| 52 | + |
| 53 | +```sql |
| 54 | +SELECT * FROM docker_images |
| 55 | +WHERE strftime('%s', 'now') - created <= (7 * 86400); -- Pulled in the last 7 days |
| 56 | +``` |
| 57 | + |
| 58 | +```sql |
| 59 | +SELECT |
| 60 | + id AS container_id, |
| 61 | + name AS container_name, |
| 62 | + source AS host_path, |
| 63 | + destination AS container_path, |
| 64 | + rw AS is_read_write |
| 65 | +FROM |
| 66 | + docker_container_mounts |
| 67 | +WHERE |
| 68 | + source IN ('/var/run/docker.sock', '/', '/etc', '/var/lib/docker'); |
| 69 | + -- Add your own list of additional sources here |
| 70 | +``` |
| 71 | + |
| 72 | +## Notes |
| 73 | + |
| 74 | +- Monitors for unusual network connections initiated by Docker containers, focusing on non-local IP addresses to identify potentially malicious activity. |
| 75 | +- Detects Docker containers running in privileged mode, which may indicate a risk of host compromise. |
| 76 | +- Identifies recently created Docker containers and images to highlight potential unauthorized deployments or suspicious additions. |
| 77 | +- Analyzes Docker container mount points to detect access to sensitive host directories, such as /var/run/docker.sock or /etc, which could enable container escape or host-level compromise. |
| 78 | +- Provides OSQuery queries to gather additional context about running containers, their configurations, and associated image metadata for forensic analysis. |
| 79 | + |
| 80 | +## MITRE ATT&CK Techniques |
| 81 | + |
| 82 | +- [T1610](https://attack.mitre.org/techniques/T1610) |
| 83 | + |
| 84 | +## License |
| 85 | + |
| 86 | +- `Elastic License v2` |
0 commit comments