T1543.005: Container Service
Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.
For example, by using the docker run
or podman run
command with the restart=always
directive, a container can be configured to persistently restart on the host. A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.
In Kubernetes environments, DaemonSets allow an adversary to persistently Deploy Containers on all nodes, including ones added later to the cluster. Pods can also be deployed to specific nodes using the nodeSelector
or nodeName
fields in the pod spec.
Note that containers can also be configured to run as Systemd Services.
Detection
ID | DS0032 | Data source and component | Container: Container Creation | Description | Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for suspicious uses of the docker or podman command, such as attempts to mount the root filesystem of the host. |
---|
Mitigation
ID | M1054 | Name | Software Configuration | Description | Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container. |
---|
ID | M1018 | Name | User Account Management | Description | Limit access to utilities such as docker to only users who have a legitimate need, especially if using docker in rootful mode. In Kubernetes environments, only grant privileges to deploy pods to users that require it. |
---|