Technique on mitre.org

T1610: Deploy Container

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node.

Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes. Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of process-start events which contain 'docker build', 'docker run', or 'kubectl apply' in their command line.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.

ID	DS0014	Data source and component	Pod: Pod Modification	Description	Monitor for changes made to pods for unexpected modifications to settings and/or control data that may deploy a container into an environment to facilitate execution or evade defenses.

ID	DS0032	Data source and component	Container: Container Start	Description	Monitor for activation or invocation of a container that may deploy a container into an environment to facilitate execution or evade defenses.

ID	DS0014	Data source and component	Pod: Pod Creation	Description	Monitor for newly constructed pods that may deploy a container into an environment to facilitate execution or evade defenses.

ID	DS0032	Data source and component	Container: Container Creation	Description	Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses.

ID	Data source and component	Description
DS0015	Application Log: Application Log Content	Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
DS0014	Pod: Pod Modification	Monitor for changes made to pods for unexpected modifications to settings and/or control data that may deploy a container into an environment to facilitate execution or evade defenses.
DS0032	Container: Container Start	Monitor for activation or invocation of a container that may deploy a container into an environment to facilitate execution or evade defenses.
DS0014	Pod: Pod Creation	Monitor for newly constructed pods that may deploy a container into an environment to facilitate execution or evade defenses.
DS0032	Container: Container Creation	Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses.

Mitigation

ID	M1018	Name	User Account Management	Description	Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the `system:masters` group, and use `RoleBindings` rather than `ClusterRoleBindings` to limit user privileges to specific namespaces.

ID	M1035	Name	Limit Access to Resource Over Network	Description	Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications. In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server. Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.

ID	M1047	Name	Audit	Description	Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.

ID	M1030	Name	Network Segmentation	Description	Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.

ID	Name	Description
M1018	User Account Management	Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the `system:masters` group, and use `RoleBindings` rather than `ClusterRoleBindings` to limit user privileges to specific namespaces.
M1035	Limit Access to Resource Over Network	Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications. In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server. Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.
M1047	Audit	Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.
M1030	Network Segmentation	Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.