T1613 Container and Resource Discovery Mappings

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Scan network Enumerating the state of the network related-to T1613 Container and Resource Discovery

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
gke_enterprise GKE Enterprise technique_scores T1613 Container and Resource Discovery
Comments
Adversaries may attempt to discover containers and other resources that are available within a containers environment. GKE Enterprise incorporates the Anthos Config Management "Network Policies" rule to control the network traffic inside clusters, denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls
References
google_kubernetes_engine Google Kubernetes Engine technique_scores T1613 Container and Resource Discovery
Comments
By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Locked down firewall, read-only filesystem, limited user accounts, and disabled root login.
References
identity_and_access_management Identity and Access Management technique_scores T1613 Container and Resource Discovery
Comments
GCP Identity and Access Management allows admins to control access to Container Registry hosts with Cloud Storage permissions. Specific accounts can be assigned roles and Container Registry uses Cloud Storage buckets as the underlying storage for container images. This control can help mitigate against adversaries that may attempt to discover resources including images and containers by controlling access to images by granting permissions to the bucket for a registry.
References
resource_manager Resource Manager technique_scores T1613 Container and Resource Discovery
Comments
Google Cloud Platform provides resource containers such as organizations, folders, and projects that allow one to group and hierarchically organize other GCP resources. This control may mitigate by denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls from adversaries that may attempt to discover containers and other resources that are available within a containers environment.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_config AWS Config technique_scores T1613 Container and Resource Discovery
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to discover containers and other resources. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References