Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)
An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | None | related-to | T1552.007 | Container API |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| confidential_vm | Confidential VM | technique_scores | T1552.007 | Container API |
Comments
Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM can be used with Google Kubernetes Engine Nodes to encrypt data in-use for these workloads.
References
|
| gke_enterprise | GKE Enterprise | technique_scores | T1552.007 | Container API |
Comments
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs. GKE Enterprise incorporates the Anthos Config Management feature to manage configuration for any Kubernetes API, including policies for the Istio service mesh, resource quotas, and access control policies.
References
|
| resource_manager | Resource Manager | technique_scores | T1552.007 | Container API |
Comments
To control access to resources, GCP requires that accounts making API requests have appropriate IAM roles. IAM roles include permissions that allow users to perform specific actions on Google Cloud resources. This control may mitigate adversaries that gather credentials via APIs within a containers environment. Since this covers only one of the sub-techniques, it is given a Minimal scoring.
References
|
| vpc_service_controls | VPC Service Controls | technique_scores | T1552.007 | Container API |
Comments
VPC security perimeters can segment private resources to provide access based on user identity or organizational ingress/egress policies (e.g., instance, subnet).
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1552.007 | Container API |
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The "eks-secrets-encrypted" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial.
References
|