custom container tooling, ci agents, or monitoring may connect to docker.sock or containerd.sock from non-standard paths after relocation or bind mounts. tune by process.executable or user.name when noise is high.

Techniques

Sample rules

Unusual Process Connection to Docker or Containerd Socket

source: elastic
technicques:
- T1550
- T1611
- T1613

Description

Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards, and Kubernetes audit logging entirely.

Detection logic

host.os.type:"linux" and 
event.category:"network" and
event.action:"connected-to" and network.direction:"egress" and 
destination.address:("/run/containerd/containerd.sock" or "/var/run/containerd/containerd.sock" or "/var/run/docker.sock" or "/run/docker.sock") and
process.executable:(* and not 
  ("/usr/bin/kubelet" or
  "/usr/local/bin/kubelet" or
  "/usr/bin/containerd" or
  "/usr/sbin/containerd" or
  "/usr/bin/containerd-shim" or
  "/usr/bin/containerd-shim-runc-v2" or
  "/usr/local/bin/containerd-shim-runc-v2" or
  "/usr/bin/dockerd" or
  "/usr/sbin/dockerd" or  
   /var/lib/*/usr/bin/dockerd or 
  "/usr/bin/docker-proxy")
)