K-DOCKER-SOCKInitial Access

Docker Socket Exposed

/var/run/docker.sock mounted in a container or reachable on 2375 — full host takeover via docker run -v /:/host.

§ Where this technique fits

K-DOCKER-SOCK is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
step 2 / 6

§ What commonly comes next

01
Privileged Container Escape
K-PRIV-CONTAINER · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Docker socket exposed in pod → host root

§ What commonly comes next