Is my Docker container vulnerable to a Docker socket escape?

The purpose of this chain is to test if your Docker container is vulnerable to a Docker socket escape.
This week, we are releasing a Docker container escape TTP:
  • Is my Docker container vulnerable to a Docker socket escape?

Is my Docker container vulnerable to a Docker socket escape?

For this week's TTP Tuesday, we're providing a Docker container escape. This TTP demonstrates how to escape from a Docker container that has the Docker socket mounted within it. While there are practical reasons for mounting the Docker socket within a container, doing so exposes the host to this container escape technique. If a container is vulnerable, an attacker may be able to read and execute files on the host system.

The issue affects many public repositories that utilize Docker containers - a simple search for the Docker socket mount string “-v /var/run/docker.sock” on GitHub shows more than 62,000 code results at the time of this writing. Note that this is not a vulnerability in Docker code, but rather a security misconfiguration of Docker container.

If you haven't recently audited your containers, there's a chance this misconfiguration may affect you!


Execute Operator's Is my Docker container vulnerable to a Docker socket escape? TTP on each Docker container in your environment to test if you are vulnerable.

The chain checks if the agent is running within a Docker container. Next, it checks if the docker.sock file exists in the filesystem. Finally, it will attempt to run a command on the host system to demonstrate the container escape.


The recommended remediation is to unmount docker.sock from the container.

Check out the TTP Escape Docker container using Docker socket on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:

See the latest kill chain and TTP Releases:

See our open-source repositories:

Join our community




Read, watch, and listen

Listen to our Podcast:

Read our blog:

Watch our live streams:

Watch our pre-recorded content:

Follow our team





Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Are we in a Docker environement?
Enumerate docker socket from within a container
Escape Docker container using Docker socket