1. Home
  2. Techniques
  3. Enterprise
  4. Deploy Container

Deploy Container

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.[1][2][3] Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.[4]

ID: T1610
Sub-techniques:  No sub-techniques
Tactics: Defense Evasion, Execution
Platforms: Containers
Supports Remote:  Yes
Contributors: Alfredo Oliveira, Trend Micro; Ariel Shuper, Cisco; Center for Threat-Informed Defense (CTID); Idan Frimark, Cisco; Magno Logan, @magnologan, Trend Micro; Pawan Kinger, @kingerpawan, Trend Micro; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.2
Created: 29 March 2021
Last Modified: 15 April 2023
Version Permalink

Procedure Examples

ID Name Description
S0600 Doki

Doki was run through a deployed container.[5]
S0599 Kinsing

Kinsing was run through a deployed Ubuntu container.[6]
S0683 Peirates

Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node.[7]
G0139 TeamTNT

TeamTNT has deployed different types of containers into victim environments to facilitate execution.[8][9] TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.[10]

Mitigations

ID Mitigation Description
M1047 Audit

Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.[11]
M1035 Limit Access to Resource Over Network

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.[12][13] In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.[14] Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.[15]
M1030 Network Segmentation

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
M1018 User Account Management

Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.[16]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
DS0032 Container Container Creation

Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses.
Container Start

Monitor for activation or invocation of a container that may deploy a container into an environment to facilitate execution or evade defenses.
DS0014 Pod Pod Creation

Monitor for newly constructed pods that may deploy a container into an environment to facilitate execution or evade defenses.
Pod Modification

Monitor for changes made to pods for unexpected modifications to settings and/or control data that may deploy a container into an environment to facilitate execution or evade defenses.

References

  1. Docker. (n.d.). Docker Engine API v1.41 Reference - Container. Retrieved March 29, 2021.
  2. The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.
  3. The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.
  4. Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.
  5. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  6. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  7. InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
  8. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  1. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  2. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  3. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
  4. Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
  5. The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
  6. Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
  7. Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.
  8. Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.