Container management utility in container

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1609-container-administration-command

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect execution of a container management utility (for example, kubectl or docker) in a container.

Strategy

After an attacker’s initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to enumerate other pods or containers, escalate privileges, or exfiltrate secrets by running container management orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like kubectl or docker) executes with specific process arguments detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your pods, containers, and hosts.

Triage and response

  1. Determine whether or not this is expected behavior.
  2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
  4. Find and repair the root cause of the exploit.

Requires version 7.27 or higher