1. Home
  2. Techniques
  3. Enterprise
  4. Container Administration Command

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.[1][2][3]

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.[4][5] In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.[6]

ID: T1609
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: Containers
Supports Remote:  Yes
Contributors: Alfredo Oliveira, Trend Micro; Brad Geesaman, @bradgeesaman; Center for Threat-Informed Defense (CTID); David Fiser, @anu4is, Trend Micro; Magno Logan, @magnologan, Trend Micro; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.2
Created: 29 March 2021
Last Modified: 15 October 2024
Version Permalink

Procedure Examples

ID Name Description
S0601 Hildegard

Hildegard was executed through the kubelet API run command and by executing commands on running containers.[7]
S0599 Kinsing

Kinsing was executed with an Ubuntu container entry point that runs shell scripts.[8]
S0683 Peirates

Peirates can use kubectl or the Kubernetes API to run commands.[9]
S0623 Siloscape

Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.[10]
G0139 TeamTNT

TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.[7]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Remove unnecessary tools and software from containers.
M1038 Execution Prevention

Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.[11] Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.[12]
M1035 Limit Access to Resource Over Network

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[13][14] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[15] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[16]
M1026 Privileged Account Management

Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers and using the NodeRestriction admission controller to deny the kublet access to nodes and pods outside of the node it belongs to.[11] [17]
M1018 User Account Management

Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.[11] When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.[18]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor command execution within containers to detect suspicious activity. Commands executed via Docker (docker exec) or Kubernetes (kubectl exec) should be captured along with relevant metadata.

Analytic 1 - Unusual command executions in container services

sourcetype=docker:daemon OR sourcetype=kubernetes:apiserver| search command IN ("docker exec", "kubectl exec")
DS0009 Process Process Creation

Track the creation of new processes within a container environment, which could indicate suspicious activity initiated via the Docker daemon or Kubernetes API server.

Analytic 1 - Unusual process creation within containers

sourcetype=docker:daemon OR sourcetype=kubernetes:container| search action="start" OR action="exec"

References

  1. Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
  2. The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
  3. The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.
  4. Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
  5. Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
  6. The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.
  7. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  8. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  9. InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
  1. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  2. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
  3. Kubernetes. (n.d.). Configure a Security Context for a Pod or Container. Retrieved March 8, 2023.
  4. Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
  5. The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
  6. Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
  7. Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.
  8. Kubernetes. (n.d.). Admission Controllers Reference. Retrieved March 8, 2023.
  9. Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.