Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.[1][2][3]

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.[4][5] In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.[6]

ID: T1609
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: Containers
Supports Remote:  Yes
Contributors: Alfredo Oliveira, Trend Micro; Brad Geesaman, @bradgeesaman; Center for Threat-Informed Defense (CTID); David Fiser, @anu4is, Trend Micro; Magno Logan, @magnologan, Trend Micro; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.0
Created: 29 March 2021
Last Modified: 14 April 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0601 Hildegard

Hildegard was executed through the kubelet API run command and by executing commands on running containers.[7]

S0599 Kinsing

Kinsing was executed with an Ubuntu container entry point that runs shell scripts.[8]

S0623 Siloscape

Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.[9]

G0139 TeamTNT

TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.[7]


ID Mitigation Description
M1038 Execution Prevention

Use read-only containers and minimal images when possible to prevent the execution of commands.

M1035 Limit Access to Resource Over Network

Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[10][11]

M1026 Privileged Account Management

Ensure containers are not running as root by default.


ID Data Source Data Component
DS0017 Command Command Execution

Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.