1. Home
  2. Techniques
  3. Enterprise
  4. Unsecured Credentials
  5. Container API

Unsecured Credentials: Container API

ID Name
T1552.001 Credentials In Files
T1552.002 Credentials in Registry
T1552.003 Bash History
T1552.004 Private Keys
T1552.005 Cloud Instance Metadata API
T1552.006 Group Policy Preferences
T1552.007 Container API
T1552.008 Chat Messages

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.[1][2]

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.[3] An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

ID: T1552.007
Sub-technique of:  T1552
Tactic: Credential Access
Platforms: Containers
Contributors: Center for Threat-Informed Defense (CTID); Jay Chen, Palo Alto Networks; Yossi Weizman, Azure Defender Research Team
Version: 1.2
Created: 31 March 2021
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
S0683 Peirates

Peirates can query the Kubernetes API for secrets.[4]

Mitigations

ID Mitigation Description
M1035 Limit Access to Resource Over Network

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[5][6] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[7] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[8]
M1030 Network Segmentation

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
M1026 Privileged Account Management

Use the principle of least privilege for privileged accounts such as the service account in Kubernetes. For example, if a pod is not required to access the Kubernetes API, consider disabling the service account altogether.[9]
M1018 User Account Management

Enforce authentication and role-based access control on the container API to restrict users to the least privileges required.[10] When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.[11]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.

Analytic 1 - Unexpected API calls or access to Docker logs indicating credential access.

index=containers sourcetype IN ("docker:events", "kubernetes:api", "kubernetes:container") | search Command IN ("docker logs", "kubectl get secrets", "kubectl describe secret", "kubectl exec", "curl http[:]//169.254.169[.]254/latest/meta-data/iam/security-credentials/", "aws iam list-access-keys", "az ad sp list")
DS0002 User Account User Account Authentication

It may be possible to detect adversary use of credentials they have obtained such as inĀ Valid Accounts.

Analytic 1 - Failed or unusual logon attempts using compromised credentials.

(index=containers sourcetype="docker:events" action="create" container_name="" user!="root") OR(index=containers sourcetype="kubernetes:api" verb IN ("create", "patch", "delete") objectRef.resource IN ("pods", "secrets") user.username!="system:serviceaccount:")

References

  1. Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.
  2. The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
  3. Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.
  4. InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
  5. Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
  6. The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
  1. Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
  2. Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.
  3. Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.
  4. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
  5. Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.