T1610 Deploy Container Mappings

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1610 Deploy Container
AC-2 Account Management Protects T1610 Deploy Container
AC-3 Access Enforcement Protects T1610 Deploy Container
AC-6 Least Privilege Protects T1610 Deploy Container
CM-6 Configuration Settings Protects T1610 Deploy Container
CM-7 Least Functionality Protects T1610 Deploy Container
IA-2 Identification and Authentication (organizational Users) Protects T1610 Deploy Container
SC-7 Boundary Protection Protects T1610 Deploy Container
SI-4 System Monitoring Protects T1610 Deploy Container