1. Home
  2. ATT&CK Techniques
  3. T1543.005 Container Service

T1543.005 Container Service

Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.

For example, by using the docker run or podman run command with the restart=always directive, a container can be configured to persistently restart on the host.(Citation: AquaSec TeamTNT 2023) A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.(Citation: GTFOBins Docker)

In Kubernetes environments, DaemonSets allow an adversary to persistently Deploy Containers on all nodes, including ones added later to the cluster.(Citation: Aquasec Kubernetes Attack 2023)(Citation: Kubernetes DaemonSet) Pods can also be deployed to specific nodes using the nodeSelector or nodeName fields in the pod spec.(Citation: Kubernetes Assigning Pods to Nodes)(Citation: AppSecco Kubernetes Namespace Breakout 2020)

Note that containers can also be configured to run as Systemd Services.(Citation: Podman Systemd)(Citation: Docker Systemd)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1543.005 Container Service
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1543.005 Container Service
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1543.005 Container Service
      Comments
      This diagnostic statement provides protection from Create or Modify System Process: Container Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
      References
        DE.CM-03.03 Privileged account monitoring Mitigates T1543.005 Container Service
        Comments
        This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
        References
          PR.AA-01.02 Physical and logical access Mitigates T1543.005 Container Service
          Comments
          This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1543.005 Container Service
            Comments
            This diagnostic statement protects against Container Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              IA-02 Identification and Authentication (Organizational Users) mitigates T1543.005 Container Service
              AC-02 Account Management mitigates T1543.005 Container Service
              AC-03 Access Enforcement mitigates T1543.005 Container Service
              AC-05 Separation of Duties mitigates T1543.005 Container Service
              AC-06 Least Privilege mitigates T1543.005 Container Service

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.005 Container Service
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.005 Container Service

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              microsoft_sentinel Microsoft Sentinel technique_scores T1543.005 Container Service
              Comments
              The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.
              References
              1. https://learn.microsoft.com/en-us/azure/sentinel/overview
              2. https://learn.microsoft.com/en-us/azure/sentinel/hunting
              alerts_for_windows_machines Alerts for Windows Machines technique_scores T1543.005 Container Service
              Comments
              This control can detect when commands associated with container services are executed, such as docker or podman.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
              2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1543.005 Container Service
              Comments
              Google Security Operations is able to trigger alerts based off executed commands like docker run or podman run.
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
              3. 'https://github.com/chronicle/detection-rules']

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              aws_security_hub AWS Security Hub technique_scores T1543.005 Container Service
              Comments
              AWS Security Hub offers controls for Amazon Elastic Container Service (ECS). There are a variety of ECS security controls available, resulting in a score of Significant.
              References
              1. https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html