T1609Techniqueexecutionagent-callable

T1609Container Administration Command

Platforms: Containers

ATT&CK version: 14.1

What it is

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)

ATT&CK tactics· 1

Execution

References

  1. https://attack.mitre.org/techniques/T1609
  2. https://docs.docker.com/engine/reference/commandline/exec/
  3. https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime
  4. https://docs.docker.com/engine/reference/commandline/dockerd/
  5. https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/
  6. https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
  7. https://kubernetes.io/docs/concepts/overview/kubernetes-api/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1609: Container Administration Command | SQUR Knowledge Base