T1613 Container and Resource Discovery
Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.12 In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.
| Item | Value |
|---|---|
| ID | T1613 |
| Sub-techniques | |
| Tactics | TA0007 |
| Platforms | Containers |
| Version | 1.1 |
| Created | 31 March 2021 |
| Last Modified | 15 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0601 | Hildegard | Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers.9 |
| S0683 | Peirates | Peirates can enumerate Kubernetes pods in a given namespace.8 |
| G0139 | TeamTNT | TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.11 TeamTNT has also searched for Kubernetes pods running in a local network.10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1035 | Limit Access to Resource Over Network | Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.47 In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.5 Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.6 |
| M1030 | Network Segmentation | Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| M1018 | User Account Management | Enforce the principle of least privilege by limiting dashboard visibility to only the required users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.3 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0032 | Container | Container Enumeration |
| DS0014 | Pod | Pod Enumeration |
References
-
Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021. ↩
-
The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021. ↩
-
Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023. ↩
-
Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021. ↩
-
Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023. ↩
-
Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023. ↩
-
The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021. ↩
-
InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022. ↩
-
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. ↩
-
Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. ↩
-
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. ↩