Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.02 | Network device configurations | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary deployment of a container.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to deploy containers.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement protects against Deploy Container through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement protects against Deploy Container through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement protects against Deploy Container through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1610 | Deploy Container | |
| AC-17 | Remote Access | mitigates | T1610 | Deploy Container | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1610 | Deploy Container | |
| CM-07 | Least Functionality | mitigates | T1610 | Deploy Container | |
| SI-04 | System Monitoring | mitigates | T1610 | Deploy Container | |
| AC-02 | Account Management | mitigates | T1610 | Deploy Container | |
| AC-03 | Access Enforcement | mitigates | T1610 | Deploy Container | |
| AC-06 | Least Privilege | mitigates | T1610 | Deploy Container | |
| SC-07 | Boundary Protection | mitigates | T1610 | Deploy Container |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Downloader | Downloader (pull updates or other malware) | related-to | T1610 | Deploy Container | |
| action.malware.variety.Unknown | Unknown | related-to | T1610 | Deploy Container |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1610 | Deploy Container |
Comments
This capability can detect unauthorized deployment of containers.
References
|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1610 | Deploy Container |
Comments
This capability can protect against unauthorized deployment of containers.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| artifact_analysis | Artifact Analysis | technique_scores | T1610 | Deploy Container |
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can scan for known vulnerabilities in containers. This information can be used to detect malicious deployed containers used to evade defenses and execute processes in a target environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.
References
|
| artifact_analysis | Artifact Analysis | technique_scores | T1610 | Deploy Container |
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in Docker containers. This information can be used to detect malicious implanted images in the environment. This control does not directly protect against exploitation.
References
|
| binary_authorization | Binary Authorization | technique_scores | T1610 | Deploy Container |
Comments
Based on configured policies, Binary Authorization allows or blocks deployment of container images.
References
|
| gke_enterprise | GKE Enterprise | technique_scores | T1610 | Deploy Container |
Comments
GKE Enterprise incorporates the Anthos Config Management Policy Controller feature to enforce fully programmable policies on your clusters. You can use these policies to shift security left and guard against violations during development and test time, as well as runtime violations. This control can be used to block adversaries that try to deploy new containers with malware or configurations policies that are not in compliance with security policies already defined.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | technique_scores | T1610 | Deploy Container |
Comments
Kubernetes role-based access control (RBAC), uses granular permissions to control access to resources within projects and objects within Kubernetes clusters.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudwatch | AWS CloudWatch | technique_scores | T1610 | Deploy Container |
Comments
AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metric could be used to detect if an adversary deployed a new container in the environment.
node_number_of_running_containers
This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized deployment of a new container.
References
|
| aws_config | AWS Config | technique_scores | T1610 | Deploy Container |
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to deploy containers. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References
|