This note documents detection patterns related to Container Escape or Docker Abuse on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | docker ps | Container enumeration | High | Often first attacker step after foothold. |
| Shell history | docker exec -it | Interactive container access | Critical | Strong container pivot indicator. |
| Shell history | docker run -v /:/mnt | Host filesystem mount | Critical | Classic host escape / abuse pattern. |
| Shell history | docker run --privileged | Privileged container launch | Critical | High-confidence abuse path. |
| Shell history | docker cp | File transfer into/out of container | High | Useful for payload staging. |
| Shell history | docker inspect | Container reconnaissance | High | Often precedes abuse. |
| Shell history | docker commit | Snapshot modified container | Medium | Context dependent. |
| Shell history | nsenter | Namespace escape | Critical | Strong host escape indicator. |
| Shell history | chroot /mnt | Host pivot after mount | Critical | Strong escape sequence. |
/var/lib/docker/ | unexpected new artifacts | Container modification | High | Persistence / payload staging clue. |
| Docker daemon logs | privileged container start | Runtime evidence | Critical | Strong operational proof. |
journalctl | docker service activity | Runtime clue | Critical | Primary host-side source. |
auditd | docker / nsenter execution | Process attribution | Critical | Best attribution if enabled. |
| Mounted host paths | /:/mnt style mounts | Host exposure | Critical | High severity artifact. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Docker commands after sudo/root | Host abuse progression | Critical | Common attacker path. |
| Privileged container after foothold | Escape attempt | Critical | Strong hostile sequence. |
| Host filesystem visible in container | Near-confirmed escape path | Critical | High severity. |
| Container launched from unusual image | Payload carrier | High | Strong anomaly if unknown image. |
| Docker socket access by low-priv user | Privilege abuse | Critical | Often equivalent to root. |
nsenter after docker mount | Mature operator behavior | Critical | Strong escape indicator. |
| Container plus cron/service on host | Host persistence post-escape | Critical | Full compromise chain. |
Hidden payload under /var/lib/docker | Concealed persistence | High | Requires deeper review. |
| Docker used for outbound pivot | Network staging | High | Multi-host movement clue. |
| Docker history missing after use | Cleanup attempt | High | Anti-forensic behavior. |
Common Tools
| Tool | Usage |
|---|---|
docker exec | Access running container. |
docker run --privileged | Launch high-privilege container. |
docker run -v /:/mnt | Mount host filesystem. |
docker cp | Transfer files. |
docker inspect | Container metadata reconnaissance. |
nsenter | Namespace pivot to host. |
chroot | Pivot into mounted host FS. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Shell history | .bash_history, .zsh_history | Critical | Primary command evidence. |
| Docker data | /var/lib/docker/ | High | Image/container artifact source. |
| Docker socket | /var/run/docker.sock | Critical | Privilege pivot target. |
| Docker daemon logs | journald / service logs | Critical | Runtime truth. |
| Audit logs | /var/log/audit/audit.log | Critical | Process attribution. |
| Mounted host traces | bind mount paths | Critical | Escape proof. |
MITRE ATT&CK References
- T1611 Escape to Host
- T1610 Deploy Container
- T1611 Container and Resource Discovery
Decision Tree
-
Was docker used?
- Search shell history and daemon logs.
-
Was privileged mode used?
- Identify
--privileged, host mounts.
- Identify
-
Was host filesystem exposed?
- Inspect mount arguments.
-
Was namespace escape attempted?
- Look for
nsenter,chroot.
- Look for
-
Did host persistence follow?
- Cron, services, keys, startup files.
-
Pivot
- Container → image / mounts.
- User → docker group / sudo context.
- Timeline → privilege sequence.
-
Confirm abuse
- Privileged docker + host mount + escape tooling = strong host compromise path.
Example Detection Templates
Grep
grep -R "docker exec\|docker run --privileged\|docker run -v /\|docker cp\|docker inspect\|nsenter\|chroot /mnt" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "docker " /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep docker
File Inspection
ls -la /var/run/docker.sock
find /var/lib/docker -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort
Sigma
title: Linux Container Escape or Docker Abuse
id: linux-container-escape-docker-abuse
status: experimental
description: Detects suspicious docker activity associated with host escape or privileged abuse
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'docker run --privileged'
- 'docker exec'
- 'nsenter'
- 'docker run -v /'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate container administration
level: high
tags:
- attack.privilege_escalation
- attack.t1611
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Docker socket control | Restrict socket access | Critical | Docker socket often equals root. |
| Privileged container policy | Block --privileged | Critical | Removes key escape path. |
| Mount policy | Restrict host bind mounts | Critical | Prevents filesystem exposure. |
| Auditd | Track docker/nsenter commands | High | Strong attribution. |
| Docker group review | Minimize membership | High | Major privilege control. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Was docker used suspiciously? | grep history | Immediate abuse check. |
| Any privileged launch? | inspect commands | Escape clue. |
| Was host mounted? | inspect -v usage | High severity. |
| Was nsenter used? | grep history | Strong host escape signal. |
| Did host persistence follow? | inspect cron/services | Full compromise chain. |
| Is docker socket exposed? | inspect permissions | Privilege context. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
docker exec | Container pivot. |
docker run --privileged | High-risk abuse. |
docker run -v /:/mnt | Host mount escape. |
docker cp | Payload movement. |
nsenter | Namespace escape. |
chroot /mnt | Host pivot after mount. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Privileged container + host mount | Very strong host compromise path. |
| Docker socket by low-priv user | Effective root-level abuse. |
| nsenter after docker run | Mature escape behavior. |
| Hidden payload under docker paths | Concealed persistence possible. |
| Docker plus cron on host | Escape followed by persistence. |
| History cleared after docker abuse | Cleanup attempt likely. |