Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1613 | Container and Resource Discovery |
| AC-2 | Account Management | Protects | T1613 | Container and Resource Discovery |
| AC-3 | Access Enforcement | Protects | T1613 | Container and Resource Discovery |
| AC-6 | Least Privilege | Protects | T1613 | Container and Resource Discovery |
| CM-6 | Configuration Settings | Protects | T1613 | Container and Resource Discovery |
| CM-7 | Least Functionality | Protects | T1613 | Container and Resource Discovery |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1613 | Container and Resource Discovery |
| SC-43 | Usage Restrictions | Protects | T1613 | Container and Resource Discovery |
| SC-7 | Boundary Protection | Protects | T1613 | Container and Resource Discovery |
| SI-4 | System Monitoring | Protects | T1613 | Container and Resource Discovery |