T1059.013: Container CLI/API — MITRE ATT&CK Technique

Description

Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.

The Docker CLI is used for managing containers via an exposed API point from the dockerd daemon. Some common examples of Docker CLI include Docker Desktop CLI and Docker Compose, but users are also able to use SDKs to interact with the API. For example, Docker SDK for Python can be used to run commands within a Python application.(Citation: Docker Desktop CLI)

Adversaries may leverage the Docker CLI, API, or SDK to pull or build Docker images (i.e., Ingress Tool Transfer, Build Image on Host), run containers (i.e., Deploy Container), or execute commands inside running containers (i.e., Container Administration Command). In some cases, threat actors may pull legitimate images that include scripts or tools that they can leverage - for example, using an image that includes the curl command to download payloads.(Citation: Intezer) Adversaries may also utilize docker inspect and docker ps to scan for cloud environment variables and other running containers (i.e., Container and Resource Discovery).(Citation: Cisco Talos Blog)(Citation: aquasec)

Kubernetes is responsible for the management and orchestration of containers across clusters. The Kubernetes control plane, which manages the state of the cluster and is responsible for scheduling, communication, and resource monitoring, can be invoked directly via the API or indirectly via CLI tools such as kubectl. It may also be accessed within client libraries such as Go or Python. By utilizing the API, administrators can interact with resources within the cluster such as listing or creating pods, which is a group of one or more containers. Adversaries call the API server via curl or other tools, allowing them to obtain further information about the environment such as pods, deployments, daemonsets, namespaces, or sysvars.(Citation: aquasec) They may also run various commands regarding resource management.

☞

Reverse Shell Cheatsheet

Read our in-depth pentesting guide related to this technique

Platforms

Containers

Mitigations (2)

Privileged Account ManagementM1026

Restrict permissions on API access. RBAC in Kubernetes involve permissions that are additive, meaning there are no explicit "deny" rules. These permissions can be defined within a particular namespace or within cluster-scoped resources. Securing the Docker daemon can be done by using SSH or TLS with certificate authorization. Container management tools such as Docker and Podman may offer ways to r

Execution PreventionM1038

Deny scripting where appropriate. Tools such as Python or Go can utilize Kubernetes and Docker within a client library and execute commands within their application.

Threat Groups (1)

ID	Group	Context
G0139	TeamTNT	TeamTNT targeted misconfigured containers and used container CLI tools.(Citation: Cisco Talos Blog)

Related CWE Weaknesses

CWE-78 CWE-94

References

Frequently Asked Questions

What is T1059.013 (Container CLI/API)?

T1059.013 is a MITRE ATT&CK technique named 'Container CLI/API'. It belongs to the Execution tactic(s). Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI is used for managing containers via an exposed API point from the `do...

How can T1059.013 be detected?

Detection of T1059.013 (Container CLI/API) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1059.013?

There are 2 documented mitigations for T1059.013. Key mitigations include: Privileged Account Management, Execution Prevention.

Which threat groups use T1059.013?

Known threat groups using T1059.013 include: TeamTNT.