Built off the open source project Osquery
Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable to attacks including Doki malware, if not adequately protected. By default, docker does not open a TCP socket.
What The Data Shows: This query shows any TCP sockets listening from a binary with a path containing "%docker%". Any results should be investigated for proper configuration and security controls.
SQL:
SELECT l.port, p.pid, p.path, p.cmdline
FROM listening_ports AS l
LEFT JOIN processes p ON p.pid=l.pid
WHERE p.path LIKE "%docker%"
AND port!=0;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.