Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.
The Docker CLI is used for managing containers via an exposed API point from the dockerd daemon. Some common examples of Docker CLI include Docker Desktop CLI and Docker Compose, but users are also able to use SDKs to interact with the API. For example, Docker SDK for Python can be used to run commands within a Python application.[1]
Adversaries may leverage the Docker CLI, API, or SDK to pull or build Docker images (i.e., Ingress Tool Transfer, Build Image on Host), run containers (i.e., Deploy Container), or execute commands inside running containers (i.e., Container Administration Command). In some cases, threat actors may pull legitimate images that include scripts or tools that they can leverage - for example, using an image that includes the curl command to download payloads.[2] Adversaries may also utilize docker inspect and docker ps to scan for cloud environment variables and other running containers (i.e., Container and Resource Discovery).[3][4]
Kubernetes is responsible for the management and orchestration of containers across clusters. The Kubernetes control plane, which manages the state of the cluster and is responsible for scheduling, communication, and resource monitoring, can be invoked directly via the API or indirectly via CLI tools such as kubectl. It may also be accessed within client libraries such as Go or Python. By utilizing the API, administrators can interact with resources within the cluster such as listing or creating pods, which is a group of one or more containers. Adversaries call the API server via curl or other tools, allowing them to obtain further information about the environment such as pods, deployments, daemonsets, namespaces, or sysvars.[4] They may also run various commands regarding resource management.
| ID | Name | Description |
|---|---|---|
| G0139 | TeamTNT |
TeamTNT targeted misconfigured containers and used container CLI tools.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Deny scripting where appropriate. Tools such as Python or Go can utilize Kubernetes and Docker within a client library and execute commands within their application. |
| M1026 | Privileged Account Management |
Restrict permissions on API access. RBAC in Kubernetes involve permissions that are additive, meaning there are no explicit "deny" rules. These permissions can be defined within a particular namespace or within cluster-scoped resources. Securing the Docker daemon can be done by using SSH or TLS with certificate authorization. Container management tools such as Docker and Podman may offer ways to run containers as rootless, which prevents them from running with privileged permissions. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0083 | Container CLI and API Abuse via Docker/Kubernetes (T1059.013) | AN0233 |
Execution of container orchestration commands (e.g., |