Unsecured Credentials: Container API

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.[1][2]

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.[3] An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

ID: T1552.007
Sub-technique of:  T1552
Platforms: Containers
Permissions Required: Administrator, User
Data Sources: Command: Command Execution, File: File Access, User Account: User Account Authentication
Contributors: Center for Threat-Informed Defense (CTID); Jay Chen, Palo Alto Networks; Yossi Weizman, Azure Defender Research Team
Version: 1.0
Created: 31 March 2021
Last Modified: 12 April 2021

Mitigations

ID Mitigation Description
M1035 Limit Access to Resource Over Network

Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[4][5]

M1030 Network Segmentation

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.

M1026 Privileged Account Management

Use the principle of least privilege for privileged accounts such as the service account in Kubernetes.

Detection

Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.

It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.

References