Skip to content
attack.paths
Sign in
← RegistryDossier · 5 steps · 4 edges

docker group membership → host root via container escape

User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo.

Filed by AD Knowledge Base
§ Kill-chainDrag · zoom · scroll

§ Context

Assumed environment: foothold as a developer / CI user. The user account is a member of the docker (or lxd) group — a common 'convenience' configuration.

§ Steps

  1. 01
    Foothold as docker-group userInitial Access
    T1078Valid Accounts
  2. 02
    id / groups → confirm dockerDiscovery
    T1087Account Discovery
  3. 03
    chroot /host → root on the hostPrivilege Escalation
    K-HOSTPATH-MOUNThostPath Volume Mount
  4. 04
    docker run --privileged -v /:/host alpinePrivilege Escalation
    L-DOCKER-GROUPdocker Group Membership → root
  5. 05
    SSH key for rootPersistence
    L-SSH-AUTHKEYSSSH authorized_keys Backdoor

§ References

§ Frequently asked

What is the "docker group membership → host root via container escape" attack path?
User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?
The first step is Foothold as docker-group user (T1078) — a initial access primitive. Assumed environment: foothold as a developer / CI user.
What is the final impact of this kill-chain?
The final step lands on SSH key for root (L-SSH-AUTHKEYS), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?
Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers