T1610 - Deploy Container#
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.
Containers can be deployed by various means, such as via Docker’s create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
Atomic Tests#
Atomic Test #1 - Deploy Docker container#
Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique.
Supported Platforms: containers
Dependencies: Run with sh!#
Description: Verify docker is installed.#
Check Prereq Commands:#
which docker
Get Prereq Commands:#
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
Description: Verify docker service is running.#
Check Prereq Commands:#
sudo systemctl status docker --no-pager
Get Prereq Commands:#
sudo systemctl start docker
Invoke-AtomicTest T1610 -TestNumbers 1 -GetPreReqs
Attack Commands: Run with bash#
docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
Invoke-AtomicTest T1610 -TestNumbers 1
Cleanup:#
docker stop t1610_container
docker rmi -f t1610:latest
Invoke-AtomicTest T1610 -TestNumbers 1 -Cleanup
Detection#
Monitor for suspicious or unknown container images and pods in your environment. Deploy logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application pods to detect malicious activity at the cluster level. In Docker, the daemon log provides insight into remote API calls, including those that deploy containers. Logs for management services or applications used to deploy containers other than the native technologies themselves should also be monitored.