Description
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)
An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.
Platforms
Mitigations (4)
Privileged Account ManagementM1026
Use the principle of least privilege for privileged accounts such as the service account in Kubernetes. For example, if a pod is not required to access the Kubernetes API, consider disabling the service account altogether.(Citation: Kubernetes Service Accounts)
Limit Access to Resource Over NetworkM1035
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in clou
Network SegmentationM1030
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
User Account ManagementM1018
Enforce authentication and role-based access control on the container API to restrict users to the least privileges required.(Citation: Kubernetes Hardening Guide) When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.(Citation: Kubernetes
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0683 | Peirates | Tool | [Peirates](https://attack.mitre.org/software/S0683) can query the Kubernetes API for secrets.(Citation: Peirates GitHub) |
References
- Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
- Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.
- The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
Frequently Asked Questions
What is T1552.007 (Container API)?
T1552.007 is a MITRE ATT&CK technique named 'Container API'. It belongs to the Credential Access tactic(s). Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container res...
How can T1552.007 be detected?
Detection of T1552.007 (Container API) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.007?
There are 4 documented mitigations for T1552.007. Key mitigations include: Privileged Account Management, Limit Access to Resource Over Network, Network Segmentation, User Account Management.
Which threat groups use T1552.007?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.