access Docker credentials

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: access Docker credentials
    namespace: collection/container/docker
    authors:
      - maximemorin@google.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
    references:
      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
  features:
    - or:
      - string: ".docker/config.json"
      - string: ".docker/ca.pem"

last edited: 2026-02-23 16:32:32