The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Audit docker TCP API sockets (re Doki malware)

Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable to attacks including Doki malware, if not adequately protected. By default, docker does not open a TCP socket.

What The Data Shows: This query shows any TCP sockets listening from a binary with a path containing "%docker%". Any results should be investigated for proper configuration and security controls.

SQL:

 

SELECT l.port, p.pid, p.path, p.cmdline
  FROM listening_ports AS l
       LEFT JOIN processes p ON p.pid=l.pid
WHERE p.path LIKE "%docker%"
  AND port!=0;

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved