Unsecured Credentials: Container API (T1552.007)

Tactic: Credential Access · Platforms: Containers

The interactive view maps 1 detection strategy, 4 mitigations, 1 software entry to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Unsecured Credentials (T1552).

Overview

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment. An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

Explore