question

JonathanLee-8541 avatar image
0 Votes"
JonathanLee-8541 asked JonathanLee-8541 answered

Scan for Containers, dormant VMs, and Kali's Docker Secure Containers with Microsoft Security Software ?

Scan for Containers and dormant VMs On Windows 10 ?
"Hello how can I enable a scan for invasive containers and or dormant VMs on a Windows 10 machine?"

If we use a proxy "content accelerator" we can figuratively catch the container and take it "the proxy caught container" off line with transparent mode and dual use container duplication and air gap tha container to test for container purity with a virus scan after or use a DLP systems while its running in transparent mode. Now how can we scan that Machine we caught it on for instances of that invasive container on non small office, company, and corporate non approved containers. I want to learn how to block out any reverse binds or egress use that are bypassing the acls with outgoing connections that are data marshaling the NIC. Keep in mind anything that will alert the container manager will trigger a sandboxed event of that container. We want hard evidence for cybersecurity GDPR, and California Privacy laws being broken with invasive use.

139810-77d311c3-6104-48af-a581-f72229c3c99b.png

What Windows security tool can we use to scan for any and all Docker containers without installing Docker, or other container managers? Or what firewall rules can you put in place for new virtual sandbox container based issues.

Keep in mind any and all fresh installs will come from the Windows servers and push that same invasive non approved container down. It is no longer a DVD or CD one size fits all image that is downloaded. They are Ip and use based for systems with use of auto deployment and vendor drivers that are pushed on reimage. So if you wipe the system that same container is fault tolerant based on the system you are using and will eventually restore itself. How can we scan for them?

Example: Hypothetically can a old job you left that has a disgruntled manager still access and still push containers to a private home system that you used for access with Office 365 only or had linked to a personal Gmail account. Even after you left that job this manager wanted to do something invasive because he did not like that you put your three weeks in, and tries to break your personal system.

139877-3ec236ca-6537-4634-bcb7-5a7097ccfddc.png

This is all hypothetical however you can see the reasons for a need to scan for any and all instances of containers in a small office setting to a large corporate environment. NIST SP800-190 states a major container issue and I quote

"1. Compromise of an image or container. This risk was evaluated using the data-centric 696 system threat modeling approach described in NIST SP 800-154 [17]. The primary “data” 697 to protect is the images and containers, which may hold application files, data files, etc. 698 The secondary data to protect is container data within shared host resources such as 699 memory, storage, and network interfaces.

  1. Misuse of a container to attack other containers, the host OS, other hosts, etc."

With that being said what protections and compartmentalization is there for the end user in a personal setting and or small business that would utilize proxy duplication for virus scan and testing of what is being data marshaled within the shielded containers, as well as protections for the good known instances containers that are currently used for Cybersecurity.
140350-messagesblocked.jpg

When we have our phones linked with software like Microsoft's phone companion issues such as invasive unapproved illegal containers could cause issues, even blocking cell phone based messages. This is smartphone system with messages to my father last couple days. Everything says message expired or not available. Could a invasive container even take control of the "Your Phone application?"

Ref:
Final Publication: https://doi.org/10.6028/NIST.SP.800-190 (direct link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf).


windows-serverwindows-10-hypervdotnet-ad
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanLee-8541 avatar image
0 Votes"
JonathanLee-8541 answered JonathanLee-8541 edited

Do to this very vulnerable security lapse you now are starting to see Pen testing companies taking full advantage of this concern. Kali now has a full instance of their standard pen testing tool kit now inside of a secure Docker container. How can the security teams start to block and or scan for containers? I feel the longer we ignore this the worse it will get.

146361-mssecuritylapse.jpg
Notes on Kali for bleeding edge, and experimental images via Docker secure conatiners.
146352-lapsestart3days.jpg
Docker showing this is now fully available.



mssecuritylapse.jpg (108.4 KiB)
lapsestart3days.jpg (57.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanLee-8541 avatar image
0 Votes"
JonathanLee-8541 answered

My firewall is logging all tunnels some devices are going to tunneled URLs even when there is no one using the internet the system is logging URL tunneled activity.

How can this be scanned ???

Encrypted containers and unknown instances of virtual machines that are unknown to the users cause a cyber security concern.


159039-screen-shot-2021-12-20-at-115017-am.png


history.paypal and I have seen sandbox pushes also. I have no Paypal account so this is concern who is using Paypal in a tunnel??

Again we need ways to scan for invasive containers.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanLee-8541 avatar image
0 Votes"
JonathanLee-8541 answered

What security recommendations does Microsoft have for issues, this is also showing for Windows 10.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.