Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)

ID: T1609
Tactic(s): Execution
Platforms: Containers
Data Sources: Command: Command Execution, Process: Process Creation
Version: 1.1
Created: 29 Mar 2021
Last Modified: 01 Apr 2022

Procedure Examples

Name Description
TeamTNT

TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)

Peirates

Peirates can use `kubectl` or the Kubernetes API to run commands.(Citation: Peirates GitHub)

Hildegard

Hildegard was executed through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)

Siloscape

Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.(Citation: Unit 42 Siloscape Jun 2021)

Kinsing

Kinsing was executed with an Ubuntu container entry point that runs shell scripts.(Citation: Aqua Kinsing April 2020)

Mitigations

Mitigation Description
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Detection

Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.