Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)
An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-17 | Remote Access | Protects | T1552.007 | Container API |
AC-02 | Account Management | Protects | T1552.007 | Container API |
AC-23 | Data Mining Protection | Protects | T1552.007 | Container API |
AC-03 | Access Enforcement | Protects | T1552.007 | Container API |
AC-04 | Information Flow Enforcement | Protects | T1552.007 | Container API |
AC-05 | Separation of Duties | Protects | T1552.007 | Container API |
AC-06 | Least Privilege | Protects | T1552.007 | Container API |
CM-05 | Access Restrictions for Change | Protects | T1552.007 | Container API |
CM-06 | Configuration Settings | Protects | T1552.007 | Container API |
CM-07 | Least Functionality | Protects | T1552.007 | Container API |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1552.007 | Container API |
SC-46 | Cross Domain Policy Enforcement | Protects | T1552.007 | Container API |
SC-07 | Boundary Protection | Protects | T1552.007 | Container API |
SC-08 | Transmission Confidentiality and Integrity | Protects | T1552.007 | Container API |