Description
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)
Platforms
Mitigations (5)
User Account ManagementM1018
Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.(Citation: Kubernetes Hardening Guide) When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.(Citation: Kubern
Privileged Account ManagementM1026
Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers and using the NodeRestriction admission controller to deny the kublet access to nodes and pods outside of the node it belongs to.(Citation: Kubernetes Hardening Guide) (Citation: Kubernetes Admission Controllers)
Disable or Remove Feature or ProgramM1042
Remove unnecessary tools and software from containers.
Limit Access to Resource Over NetworkM1035
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in clou
Execution PreventionM1038
Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.(Citation: Kubernetes Hardening Guide) Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.(Citation: Kubernetes Security Context)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) executed [Hildegard](https://attack.mitre.org/software/S0601) through the kubelet API run command and... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0683 | Peirates | Tool | [Peirates](https://attack.mitre.org/software/S0683) can use `kubectl` or the Kubernetes API to run commands.(Citation: Peirates GitHub) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) was executed through the kubelet API run command and by executing commands on running containers.... |
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally t... |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) was executed with an Ubuntu container entry point that runs shell scripts.(Citation: Aqua Kinsing A... |
References
- Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
- Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
- Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
Frequently Asked Questions
What is T1609 (Container Administration Command)?
T1609 is a MITRE ATT&CK technique named 'Container Administration Command'. It belongs to the Execution tactic(s). Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet...
How can T1609 be detected?
Detection of T1609 (Container Administration Command) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1609?
There are 5 documented mitigations for T1609. Key mitigations include: User Account Management, Privileged Account Management, Disable or Remove Feature or Program, Limit Access to Resource Over Network, Execution Prevention.
Which threat groups use T1609?
Known threat groups using T1609 include: TeamTNT.