Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1609 | Container Administration Command |
| AC-2 | Account Management | Protects | T1609 | Container Administration Command |
| AC-3 | Access Enforcement | Protects | T1609 | Container Administration Command |
| AC-6 | Least Privilege | Protects | T1609 | Container Administration Command |
| CM-6 | Configuration Settings | Protects | T1609 | Container Administration Command |
| CM-7 | Least Functionality | Protects | T1609 | Container Administration Command |
| SC-7 | Boundary Protection | Protects | T1609 | Container Administration Command |
| SI-10 | Information Input Validation | Protects | T1609 | Container Administration Command |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1609 | Container Administration Command |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1609 | Container Administration Command |
| aws_config | AWS Config | technique_scores | T1609 | Container Administration Command |