T1552.007 Container API Mappings

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1552.007 Container API
AC-02 Account Management Protects T1552.007 Container API
AC-23 Data Mining Protection Protects T1552.007 Container API
AC-03 Access Enforcement Protects T1552.007 Container API
AC-04 Information Flow Enforcement Protects T1552.007 Container API
AC-05 Separation of Duties Protects T1552.007 Container API
AC-06 Least Privilege Protects T1552.007 Container API
CM-05 Access Restrictions for Change Protects T1552.007 Container API
CM-06 Configuration Settings Protects T1552.007 Container API
CM-07 Least Functionality Protects T1552.007 Container API
IA-02 Identification and Authentication (organizational Users) Protects T1552.007 Container API
SC-46 Cross Domain Policy Enforcement Protects T1552.007 Container API
SC-07 Boundary Protection Protects T1552.007 Container API
SC-08 Transmission Confidentiality and Integrity Protects T1552.007 Container API