Container Administration Command
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec
to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec
.(Citation: Kubectl Exec Get Shell)
Procedure Examples |
|
Name | Description |
---|---|
TeamTNT |
TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware) |
Peirates |
Peirates can use `kubectl` or the Kubernetes API to run commands.(Citation: Peirates GitHub) |
Hildegard |
Hildegard was executed through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware) |
Siloscape |
Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.(Citation: Unit 42 Siloscape Jun 2021) |
Kinsing |
Kinsing was executed with an Ubuntu container entry point that runs shell scripts.(Citation: Aqua Kinsing April 2020) |
Mitigations |
|
Mitigation | Description |
---|---|
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Limit Access to Resource Over Network |
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. |
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Detection
Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.
References
- The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.
- Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
- Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
- Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
- National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
- Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.
- Kubernetes. (n.d.). Admission Controllers Reference. Retrieved March 8, 2023.
- Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
- Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
- The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.
- Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.
- Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023.
- Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
- Kubernetes. (n.d.). Configure a Security Context for a Pod or Container. Retrieved March 8, 2023.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.