T1613 Container and Resource Discovery Mappings

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1613 Container and Resource Discovery
AC-2 Account Management Protects T1613 Container and Resource Discovery
AC-3 Access Enforcement Protects T1613 Container and Resource Discovery
AC-6 Least Privilege Protects T1613 Container and Resource Discovery
CM-6 Configuration Settings Protects T1613 Container and Resource Discovery
CM-7 Least Functionality Protects T1613 Container and Resource Discovery
IA-2 Identification and Authentication (organizational Users) Protects T1613 Container and Resource Discovery
SC-43 Usage Restrictions Protects T1613 Container and Resource Discovery
SC-7 Boundary Protection Protects T1613 Container and Resource Discovery
SI-4 System Monitoring Protects T1613 Container and Resource Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1613 Container and Resource Discovery
aws_config AWS Config technique_scores T1613 Container and Resource Discovery