Description
Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.
Platforms
Mitigations (3)
Network SegmentationM1030
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
Limit Access to Resource Over NetworkM1035
Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.(Citation: Docker Daemon Socket Protect)(Citation: Kubernetes API Control Access) In Kubernetes clusters deployed in clou
User Account ManagementM1018
Enforce the principle of least privilege by limiting dashboard visibility to only the required users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.(Citation: Kubernetes RBAC)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has checked for running containers with <code>docker ps</code> and for specific container names with ... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0683 | Peirates | Tool | [Peirates](https://attack.mitre.org/software/S0683) can enumerate Kubernetes pods in a given namespace.(Citation: Peirates GitHub) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has used masscan to search for kubelets and the kubelet API for additional running containers.(Ci... |
References
- Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.
- The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
Frequently Asked Questions
What is T1613 (Container and Resource Discovery)?
T1613 is a MITRE ATT&CK technique named 'Container and Resource Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other informati...
How can T1613 be detected?
Detection of T1613 (Container and Resource Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1613?
There are 3 documented mitigations for T1613. Key mitigations include: Network Segmentation, Limit Access to Resource Over Network, User Account Management.
Which threat groups use T1613?
Known threat groups using T1613 include: TeamTNT.