Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.
Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1610 | Deploy Container | |
| AC-2 | Account Management | Protects | T1610 | Deploy Container | |
| AC-3 | Access Enforcement | Protects | T1610 | Deploy Container | |
| AC-6 | Least Privilege | Protects | T1610 | Deploy Container | |
| CM-6 | Configuration Settings | Protects | T1610 | Deploy Container | |
| CM-7 | Least Functionality | Protects | T1610 | Deploy Container | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1610 | Deploy Container | |
| SC-7 | Boundary Protection | Protects | T1610 | Deploy Container | |
| SI-4 | System Monitoring | Protects | T1610 | Deploy Container | |
| action.malware.variety.Unknown | Unknown | related-to | T1610 | Deploy Container | |
| aws_config | AWS Config | technique_scores | T1610 | Deploy Container |
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to deploy containers. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References
|
| aws_cloudwatch | AWS CloudWatch | technique_scores | T1610 | Deploy Container |
Comments
AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metric could be used to detect if an adversary deployed a new container in the environment.
node_number_of_running_containers
This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized deployment of a new container.
References
|