T1609 Container Administration Command Mappings

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1609 Container Administration Command
AC-2 Account Management Protects T1609 Container Administration Command
AC-3 Access Enforcement Protects T1609 Container Administration Command
AC-6 Least Privilege Protects T1609 Container Administration Command
CM-6 Configuration Settings Protects T1609 Container Administration Command
CM-7 Least Functionality Protects T1609 Container Administration Command
SC-7 Boundary Protection Protects T1609 Container Administration Command
SI-10 Information Input Validation Protects T1609 Container Administration Command
SI-7 Software, Firmware, and Information Integrity Protects T1609 Container Administration Command