1[metadata]
 2creation_date = "2026/04/29"
 3integration = ["auditd_manager"]
 4maturity = "production"
 5updated_date = "2026/04/29"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate
11runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate
12containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards,
13and Kubernetes audit logging entirely.
14"""
15false_positives = [
16    """
17    Custom container tooling, CI agents, or monitoring may connect to docker.sock or containerd.sock from non-standard
18    paths after relocation or bind mounts. Tune by process.executable or user.name when noise is high.
19    """,
20]
21from = "now-9m"
22index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Unusual Process Connection to Docker or Containerd Socket"
26note = """## Triage and analysis
27
28### Investigating Unusual Process Connection to Docker or Containerd Socket
29
30Review the initiating process executable, user, and parent chain. Confirm whether the socket path is the host default
31or a bind-mounted path inside a container. Pivot on the same host for subsequent container creation, image pulls, or
32credential access.
33
34### Possible investigation steps
35
36- Map `process.executable`, `process.args`, `process.title` and `user.id` to an identity and session (SSH, cron, web shell).
37- Check file permissions on the socket path and whether the workload should have access at all.
38- Correlate with process and authentication telemetry before and after the connection.
39
40### False positive analysis
41
42- Vendor agents that wrap docker or containerd CLIs from non-standard install locations may match; add explicit
43  exclusions for known binaries.
44
45### Response and remediation
46
47- If malicious, isolate the host, revoke credentials, inspect for rogue containers and persistence, and restrict socket
48  permissions to trusted groups only.
49"""
50references = [
51    "https://attack.mitre.org/techniques/T1611/",
52    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation",
53]
54risk_score = 47
55rule_id = "d70c966f-c5ef-4228-9548-346593cd422d"
56setup = """## Setup
57
58This rule requires **Auditd Manager** (or Auditbeat) process and **network** events where Unix socket paths populate
59`destination.address` (or equivalent ECS mapping from your pipeline).
60
61### Auditd Manager: network and socket visibility
62
63Enable auditing of socket-related activity so `event.category:network` and `event.action:connected-to` (or your
64pipeline’s equivalent) are emitted for `connect` to Unix sockets. Example audit rules to extend as needed:

 1
 2After deployment, confirm in Discover that events for connections to
 3`/var/run/docker.sock`, `/run/docker.sock`, or containerd socket paths include `process.executable` and
 4`destination.address` fields used by this rule.
 5
 6For more details on the integration refer to the [Auditd Manager documentation](https://docs.elastic.co/integrations/auditd_manager).
 7"""
 8severity = "medium"
 9tags = [
10    "Data Source: Auditd Manager",
11    "Domain: Endpoint",
12    "Domain: Container",
13    "OS: Linux",
14    "Use Case: Threat Detection",
15    "Tactic: Discovery",
16    "Tactic: Privilege Escalation",
17    "Tactic: Lateral Movement",
18    "Resources: Investigation Guide",
19]
20timestamp_override = "event.ingested"
21type = "query"
22query = '''
23host.os.type:"linux" and 
24event.category:"network" and
25event.action:"connected-to" and network.direction:"egress" and 
26destination.address:("/run/containerd/containerd.sock" or "/var/run/containerd/containerd.sock" or "/var/run/docker.sock" or "/run/docker.sock") and
27process.executable:(* and not 
28  ("/usr/bin/kubelet" or
29  "/usr/local/bin/kubelet" or
30  "/usr/bin/containerd" or
31  "/usr/sbin/containerd" or
32  "/usr/bin/containerd-shim" or
33  "/usr/bin/containerd-shim-runc-v2" or
34  "/usr/local/bin/containerd-shim-runc-v2" or
35  "/usr/bin/dockerd" or
36  "/usr/sbin/dockerd" or  
37   /var/lib/*/usr/bin/dockerd or 
38  "/usr/bin/docker-proxy")
39)
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[[rule.threat.technique]]
46id = "T1613"
47name = "Container and Resource Discovery"
48reference = "https://attack.mitre.org/techniques/T1613/"
49
50[rule.threat.tactic]
51id = "TA0007"
52name = "Discovery"
53reference = "https://attack.mitre.org/tactics/TA0007/"
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57
58[[rule.threat.technique]]
59id = "T1611"
60name = "Escape to Host"
61reference = "https://attack.mitre.org/techniques/T1611/"
62
63[rule.threat.tactic]
64id = "TA0004"
65name = "Privilege Escalation"
66reference = "https://attack.mitre.org/tactics/TA0004/"
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70 
71[[rule.threat.technique]]
72id = "T1550"
73name = "Use Alternate Authentication Material"
74reference = "https://attack.mitre.org/techniques/T1550/"
75 
76[rule.threat.tactic]
77id = "TA0008"
78name = "Lateral Movement"
79reference = "https://attack.mitre.org/tactics/TA0008/"