T1609 Container Administration Command Mappings

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1609 Container Administration Command

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
gke_enterprise GKE Enterprise technique_scores T1609 Container Administration Command
Comments
GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user and prevents pods from running privileged containers. In hindsight this can ensure containers are not running as root by default.
References
google_kubernetes_engine Google Kubernetes Engine technique_scores T1609 Container Administration Command
Comments
This control may provide provide information about vulnerabilities within container images, such as the risk from remote management of a deployed container. With the right permissions, an adversary could escalate to remote code execution in the Kubernetes cluster.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_config AWS Config technique_scores T1609 Container Administration Command
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to execute commands via the API. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References