Uses the Docker UNIX socket to export a Docker image to a tempfile and upload to Velociraptor.
Analysis Tips:
- https://jellyparks.com/posts/compromised-container-analysis-primer/
#docker
name: Docker.Image.Export
author: Brady Semm - @btsemm / DoppioRistretto
description: |
Uses the Docker UNIX socket to export a Docker image to a
tempfile and upload to Velociraptor.
Analysis Tips:
- https://jellyparks.com/posts/compromised-container-analysis-primer/
#docker
parameters:
- name: dockerSocket
description: |
Docker server socket. You will normally need to be root to connect.
default: /var/run/docker.sock
- name: ImageNameOrID
description: |
Docker Image name or ID to export. Can include tag (eg. "image:latest")
default: empty
sources:
- precondition: |
SELECT OS From info() where OS = 'darwin' OR OS = 'linux'
query: |
LET EncodedImageNameOrID = regex_replace(source=ImageNameOrID, replace_lambda="x=>format(format='%%%02x',args=x)", re="[^a-z0-9\\-_.~?]")
LET docker_api_path = format(format="%v:unix/images/%v/get", args=[dockerSocket, EncodedImageNameOrID])
LET response <= SELECT Content FROM http_client(url=docker_api_path, tempfile_extension=".tar", remove_last=true)
SELECT upload(file=response.Content) from scope()