1. Home
  2. Techniques
  3. Enterprise
  4. Create or Modify System Process
  5. Container Service

Create or Modify System Process: Container Service

ID Name
T1543.001 Launch Agent
T1543.002 Systemd Service
T1543.003 Windows Service
T1543.004 Launch Daemon
T1543.005 Container Service

Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.

For example, by using the docker run or podman run command with the restart=always directive, a container can be configured to persistently restart on the host.[1] A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.[2]

In Kubernetes environments, DaemonSets allow an adversary to persistently Deploy Containers on all nodes, including ones added later to the cluster.[3][4] Pods can also be deployed to specific nodes using the nodeSelector or nodeName fields in the pod spec.[5][6]

Note that containers can also be configured to run as Systemd Services.[7][8]

ID: T1543.005
Sub-technique of:  T1543
Platforms: Containers
Version: 1.0
Created: 15 February 2024
Last Modified: 16 April 2024
Version Permalink

Mitigations

ID Mitigation Description
M1054 Software Configuration

Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.

M1018 User Account Management

Limit access to utilities such as docker to only users who have a legitimate need, especially if using docker in rootful mode. In Kubernetes environments, only grant privileges to deploy pods to users that require it.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for suspicious uses of the docker or podman command, such as attempts to mount the root filesystem of the host.

DS0032 Container Container Creation

Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation.

References

  1. Ofek Itach and Assaf Morag. (2023, July 13). TeamTNT Reemerged with New Aggressive Cloud Campaign. Retrieved February 15, 2024.
  2. GTFOBins. (n.d.). docker. Retrieved February 15, 2024.
  3. Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
  4. Kubernetes. (n.d.). DaemonSet. Retrieved February 15, 2024.
  1. Kubernetes. (n.d.). Assigning Pods to Nodes. Retrieved February 15, 2024.
  2. Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.
  3. Valentin Rothberg. (2022, March 16). How to run pods as systemd services with Podman. Retrieved February 15, 2024.
  4. Docker. (n.d.). Start containers automatically. Retrieved February 15, 2024.