Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1609 | Container Administration Command | |
| AC-2 | Account Management | Protects | T1609 | Container Administration Command | |
| AC-3 | Access Enforcement | Protects | T1609 | Container Administration Command | |
| AC-6 | Least Privilege | Protects | T1609 | Container Administration Command | |
| CM-6 | Configuration Settings | Protects | T1609 | Container Administration Command | |
| CM-7 | Least Functionality | Protects | T1609 | Container Administration Command | |
| SC-7 | Boundary Protection | Protects | T1609 | Container Administration Command | |
| SI-10 | Information Input Validation | Protects | T1609 | Container Administration Command | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1609 | Container Administration Command | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1609 | Container Administration Command | |
| aws_config | AWS Config | technique_scores | T1609 | Container Administration Command |
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to execute commands via the API. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References
|