Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)

ID: T1609
Tactic(s): Execution
Platforms: Containers
Data Sources: Command: Command Execution, Process: Process Creation
Version: 1.2
Created: 29 Mar 2021
Last Modified: 15 Oct 2024

Procedure Examples

Name Description
TeamTNT

TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)

Peirates

Peirates can use `kubectl` or the Kubernetes API to run commands.(Citation: Peirates GitHub)

Hildegard

Hildegard was executed through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)

Siloscape

Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.(Citation: Unit 42 Siloscape Jun 2021)

Kinsing

Kinsing was executed with an Ubuntu container entry point that runs shell scripts.(Citation: Aqua Kinsing April 2020)

Mitigations

Mitigation Description
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Detection

Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.

References

  1. The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
  2. The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.
  3. The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.
  4. Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
  5. Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
  6. Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
  7. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  8. InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
  9. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
  10. Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.
  11. Kubernetes. (n.d.). Admission Controllers Reference. Retrieved March 8, 2023.
  12. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  13. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  14. The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
  15. Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.
  16. Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
  17. Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
  18. Kubernetes. (n.d.). Configure a Security Context for a Pod or Container. Retrieved March 8, 2023.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.