T1609: Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container. In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of process-start events which contain 'docker exec' or 'kubectl exec' in their command line.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor commands and arguments executed by container services. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.

IDDS0009Data source and componentProcess: Process CreationDescription

Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container as well as within the underlying host.

Mitigation

IDM1018NameUser Account ManagementDescription

Enforce authentication and role-based access control on the container service to restrict users to the least privileges required. When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.

IDM1026NamePrivileged Account ManagementDescription

Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers and using the NodeRestriction admission controller to deny the kublet access to nodes and pods outside of the node it belongs to.

IDM1035NameLimit Access to Resource Over NetworkDescription

Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server. In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server. Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.

IDM1038NameExecution PreventionDescription

Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands. Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.

IDM1042NameDisable or Remove Feature or ProgramDescription

Remove unnecessary tools and software from containers.