T1609 Container Administration Command
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.123
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.45 In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.6
| Item | Value |
|---|---|
| ID | T1609 |
| Sub-techniques | |
| Tactics | TA0002 |
| Platforms | Containers |
| Version | 1.1 |
| Created | 29 March 2021 |
| Last Modified | 01 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0601 | Hildegard | Hildegard was executed through the kubelet API run command and by executing commands on running containers.13 |
| S0599 | Kinsing | Kinsing was executed with an Ubuntu container entry point that runs shell scripts.11 |
| S0683 | Peirates | Peirates can use kubectl or the Kubernetes API to run commands.10 |
| S0623 | Siloscape | Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.12 |
| G0139 | TeamTNT | TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.13 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention | Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.7 |
| M1035 | Limit Access to Resource Over Network | Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.89 |
| M1026 | Privileged Account Management | Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.7 |
| M1018 | User Account Management | Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021. ↩
-
The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021. ↩
-
Docker. (n.d.). Docker run reference. Retrieved March 29, 2021. ↩
-
The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021. ↩
-
National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. ↩↩↩
-
Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021. ↩
-
The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021. ↩
-
InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022. ↩
-
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. ↩
-
Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. ↩
-
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. ↩↩