T1610 Deploy Container
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.
Containers can be deployed by various means, such as via Docker’s create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.123 Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.4
| Item | Value |
|---|---|
| ID | T1610 |
| Sub-techniques | |
| Tactics | TA0005, TA0002 |
| Platforms | Containers |
| Permissions required | User, root |
| Version | 1.1 |
| Created | 29 March 2021 |
| Last Modified | 01 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0600 | Doki | Doki was run through a deployed container.10 |
| S0599 | Kinsing | Kinsing was run through a deployed Ubuntu container.9 |
| S0683 | Peirates | Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node.8 |
| G0139 | TeamTNT | TeamTNT has deployed different types of containers into victim environments to facilitate execution.1112 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.5 |
| M1035 | Limit Access to Resource Over Network | Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.67 |
| M1030 | Network Segmentation | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| M1018 | User Account Management | Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0032 | Container | Container Creation |
| DS0014 | Pod | Pod Creation |
References
-
Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021. ↩
-
The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021. ↩
-
The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021. ↩
-
Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021. ↩
-
National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. ↩
-
Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021. ↩
-
The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021. ↩
-
InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022. ↩
-
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. ↩
-
Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. ↩
-
Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. ↩
-
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. ↩