Container Administration Command (T1609)

Tactic: Execution · Platforms: Containers

The interactive view maps 1 detection strategy, 5 mitigations, 1 threat group, 4 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Overview

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container. In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.

Explore