Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable to attacks including Doki malware, if not adequately protected. By default, docker does not open a TCP socket.
What The Data Shows: This query shows any TCP sockets listening from a binary with a path containing "%docker%". Any results should be investigated for proper configuration and security controls.
SELECT l.port, p.pid, p.path, p.cmdline FROM listening_ports AS l LEFT JOIN processes p ON p.pid=l.pid
WHERE p.path LIKE "%docker%" AND port!=0;