Docker

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

Multiple vulnerabilities in Docker allow a local attacker to execute arbitrary code with administrator privileges, cause a denial-of-service condition, or manipulate data.

A race condition in Docker's `docker cp` command allows a malicious container to redirect a bind mount target to an arbitrary host path by manipulating symlinks during the setup of temporary filesystem views, potentially overwriting host files or causing denial of service.

Portainer versions 2.33.0 through 2.33.7, 2.39.0 through 2.39.1, and 2.40.0 expose a missing authorization vulnerability (CVE-2026-44848) on the Docker plugin management endpoints, allowing a non-admin user with access to a Docker endpoint to install and enable arbitrary Docker plugins from any registry, ultimately leading to root privileges on the Docker host and unauthorized file system access.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.