Deploy Container

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.[1][2][3] Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.[4]

ID: T1610
Sub-techniques:  No sub-techniques
Platforms: Containers
Permissions Required: User, root
Supports Remote:  Yes
Contributors: Alfredo Oliveira, Trend Micro; Ariel Shuper, Cisco; Center for Threat-Informed Defense (CTID); Idan Frimark, Cisco; Magno Logan, @magnologan, Trend Micro; Pawan Kinger, @kingerpawan, Trend Micro; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.0
Created: 29 March 2021
Last Modified: 14 April 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0600 Doki

Doki was run through a deployed container.[5]

S0599 Kinsing

Kinsing was run through a deployed Ubuntu container.[6]

G0139 TeamTNT

TeamTNT has deployed different types of containers into victim environments to facilitate execution.[7][8]

Mitigations

ID Mitigation Description
M1035 Limit Access to Resource Over Network

Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.[9][10]

M1030 Network Segmentation

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.

M1018 User Account Management

Enforce the principle of least privilege by limiting container dashboard access to only the necessary users.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0032 Container Container Creation
Container Start
DS0014 Pod Pod Creation
Pod Modification

Monitor for suspicious or unknown container images and pods in your environment. Deploy logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application pods to detect malicious activity at the cluster level. In Docker, the daemon log provides insight into remote API calls, including those that deploy containers. Logs for management services or applications used to deploy containers other than the native technologies themselves should also be monitored.

References