Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.
Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes | 
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1610 | Deploy Container | |
| AC-2 | Account Management | Protects | T1610 | Deploy Container | |
| AC-3 | Access Enforcement | Protects | T1610 | Deploy Container | |
| AC-6 | Least Privilege | Protects | T1610 | Deploy Container | |
| CM-6 | Configuration Settings | Protects | T1610 | Deploy Container | |
| CM-7 | Least Functionality | Protects | T1610 | Deploy Container | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1610 | Deploy Container | |
| SC-7 | Boundary Protection | Protects | T1610 | Deploy Container | |
| SI-4 | System Monitoring | Protects | T1610 | Deploy Container | 
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes | 
|---|---|---|---|---|---|
| action.malware.variety.Downloader | Downloader (pull updates or other malware) | related-to | T1610 | Deploy Container | |
| action.malware.variety.Unknown | Unknown | related-to | T1610 | Deploy Container |