Audit docker TCP API sockets (re Doki malware)

Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable to attacks including Doki malware, if not adequately protected. By default, docker does not open a TCP socket.

What The Data Shows: This query shows any TCP sockets listening from a binary with a path containing "%docker%". Any results should be investigated for proper configuration and security controls.



SELECT l.port,, p.path, p.cmdline
  FROM listening_ports AS l
       LEFT JOIN processes p ON
WHERE p.path LIKE "%docker%"
  AND port!=0;


1 Comment
Carbon Black Employee
Status changed to: Approved