Unusual Process Connection to Docker or Containerd Socket

Status: production
Severity: medium
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards, and Kubernetes audit logging entirely.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1611` Escape to Host
Discovery	`T1613` Container and Resource Discovery
Lateral Movement	`T1550` Use Alternate Authentication Material

Rule body elastic

[metadata]
creation_date = "2026/04/29"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2026/04/29"

[rule]
author = ["Elastic"]
description = """
Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate
runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate
containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards,
and Kubernetes audit logging entirely.
"""
false_positives = [
    """
    Custom container tooling, CI agents, or monitoring may connect to docker.sock or containerd.sock from non-standard
    paths after relocation or bind mounts. Tune by process.executable or user.name when noise is high.
    """,
]
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Process Connection to Docker or Containerd Socket"
note = """## Triage and analysis

### Investigating Unusual Process Connection to Docker or Containerd Socket

Review the initiating process executable, user, and parent chain. Confirm whether the socket path is the host default
or a bind-mounted path inside a container. Pivot on the same host for subsequent container creation, image pulls, or
credential access.

### Possible investigation steps

- Map `process.executable`, `process.args`, `process.title` and `user.id` to an identity and session (SSH, cron, web shell).
- Check file permissions on the socket path and whether the workload should have access at all.
- Correlate with process and authentication telemetry before and after the connection.

### False positive analysis

- Vendor agents that wrap docker or containerd CLIs from non-standard install locations may match; add explicit
  exclusions for known binaries.

### Response and remediation

- If malicious, isolate the host, revoke credentials, inspect for rogue containers and persistence, and restrict socket
  permissions to trusted groups only.
"""
references = [
    "https://attack.mitre.org/techniques/T1611/",
    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation",
]
risk_score = 47
rule_id = "d70c966f-c5ef-4228-9548-346593cd422d"
setup = """## Setup

This rule requires **Auditd Manager** (or Auditbeat) process and **network** events where Unix socket paths populate
`destination.address` (or equivalent ECS mapping from your pipeline).

### Auditd Manager: network and socket visibility

Enable auditing of socket-related activity so `event.category:network` and `event.action:connected-to` (or your
pipeline’s equivalent) are emitted for `connect` to Unix sockets. Example audit rules to extend as needed:

```
# 64-bit connect (required for socket connection telemetry)
-a always,exit -F arch=b64 -S connect -k netconn

# 32-bit (if applicable)
-a always,exit -F arch=b32 -S connect -k netconn
```

After deployment, confirm in Discover that events for connections to
`/var/run/docker.sock`, `/run/docker.sock`, or containerd socket paths include `process.executable` and
`destination.address` fields used by this rule.

For more details on the integration refer to the [Auditd Manager documentation](https://docs.elastic.co/integrations/auditd_manager).
"""
severity = "medium"
tags = [
    "Data Source: Auditd Manager",
    "Domain: Endpoint",
    "Domain: Container",
    "OS: Linux",
    "Use Case: Threat Detection",
    "Tactic: Discovery",
    "Tactic: Privilege Escalation",
    "Tactic: Lateral Movement",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
host.os.type:"linux" and 
event.category:"network" and
event.action:"connected-to" and network.direction:"egress" and 
destination.address:("/run/containerd/containerd.sock" or "/var/run/containerd/containerd.sock" or "/var/run/docker.sock" or "/run/docker.sock") and
process.executable:(* and not 
  ("/usr/bin/kubelet" or
  "/usr/local/bin/kubelet" or
  "/usr/bin/containerd" or
  "/usr/sbin/containerd" or
  "/usr/bin/containerd-shim" or
  "/usr/bin/containerd-shim-runc-v2" or
  "/usr/local/bin/containerd-shim-runc-v2" or
  "/usr/bin/dockerd" or
  "/usr/sbin/dockerd" or  
   /var/lib/*/usr/bin/dockerd or 
  "/usr/bin/docker-proxy")
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"
 
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
 
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"

Stages and Predicates

Stage 1: `query`

host.os.type:"linux" and 
event.category:"network" and
event.action:"connected-to" and network.direction:"egress" and 
destination.address:("/run/containerd/containerd.sock" or "/var/run/containerd/containerd.sock" or "/var/run/docker.sock" or "/run/docker.sock") and
process.executable:(* and not 
  ("/usr/bin/kubelet" or
  "/usr/local/bin/kubelet" or
  "/usr/bin/containerd" or
  "/usr/sbin/containerd" or
  "/usr/bin/containerd-shim" or
  "/usr/bin/containerd-shim-runc-v2" or
  "/usr/local/bin/containerd-shim-runc-v2" or
  "/usr/bin/dockerd" or
  "/usr/sbin/dockerd" or  
   /var/lib/*/usr/bin/dockerd or 
  "/usr/bin/docker-proxy")
)

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`process.executable`	eq	`/usr/bin/containerd`
`process.executable`	eq	`/usr/bin/containerd-shim`
`process.executable`	eq	`/usr/bin/containerd-shim-runc-v2`
`process.executable`	eq	`/usr/bin/docker-proxy`
`process.executable`	eq	`/usr/bin/dockerd`
`process.executable`	eq	`/usr/bin/kubelet`
`process.executable`	eq	`/usr/local/bin/containerd-shim-runc-v2`
`process.executable`	eq	`/usr/local/bin/kubelet`
`process.executable`	eq	`/usr/sbin/containerd`
`process.executable`	eq	`/usr/sbin/dockerd`
`process.executable`	wildcard	`/var/lib/*/usr/bin/dockerd`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`destination.address`	in	`/run/containerd/containerd.sock` `/run/docker.sock` `/var/run/containerd/containerd.sock` `/var/run/docker.sock`
`event.action`	eq	`connected-to`
`event.category`	eq	`network`
`network.direction`	eq	`egress`
`process.executable`	is_not_null	(no value, null check)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Unusual Process Connection to Docker or Containerd Socket

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: `query`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Unusual Process Connection to Docker or Containerd Socket

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: query

Exclusions

Indicators

Stage 1: `query`