1. Home
  2. ATT&CK Techniques
  3. T1610 Deploy Container

T1610 Deploy Container Mappings

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)

View in MITRE ATT&CK®

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
artifact_registry Artifact Registry technique_scores T1610 Deploy Container
Comments
Once this control is deployed, it can detect known vulnerabilities in Docker containers. This information can be used to detect malicious implanted images in the environment. This control does not directly protect against exploitation.
References
  1. https://cloud.google.com/container-analysis/docs/container-analysis
  2. https://cloud.google.com/container-analysis/docs/container-scanning-overview
google_kubernetes_engine Google Kubernetes Engine technique_scores T1610 Deploy Container
Comments
Kubernetes role-based access control (RBAC), uses granular permissions to control access to resources within projects and objects within Kubernetes clusters.
References
  1. https://cloud.google.com/kubernetes-engine/docs/concepts/access-control
  2. https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks
anthosconfigmanagement AnthosConfigManagement technique_scores T1610 Deploy Container
Comments
Anthos Config Management's Policy Controller enables you to enforce fully programmable policies on your clusters. You can use these policies to shift security left and guard against violations during development and test time, as well as runtime violations. This control can be used to block adversaries that try to deploy new containers with malware or configurations policies that are not in compliance with security policies already defined.
References
  1. https://cloud.google.com/anthos-config-management/
binary_authorization Binary Authorization technique_scores T1610 Deploy Container
Comments
Based on configured policies, Binary Authorization allows or blocks deployment of container images.
References
  1. https://cloud.google.com/binary-authorization/docs/overview
  2. https://cloud.google.com/binary-authorization/docs/attestations
container_registry Container Registry technique_scores T1610 Deploy Container
Comments
Once this control is deployed, it can scan for known vulnerabilities in containers. This information can be used to detect malicious deployed containers used to evade defenses and execute processes in a target environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
  1. https://cloud.google.com/container-registry/docs/container-analysis
  2. https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr