Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756)
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.
The Docker CLI is used for managing containers via an exposed API point from the dockerd daemon. Some common examples of Docker CLI include Docker Desktop CLI and Docker Compose, but users are also able to use SDKs to interact with the API. For example, Docker SDK for Python can be used to run commands within a Python application.(Citation: Docker Desktop CLI)
Adversaries may leverage the Docker CLI, API, or SDK to pull or build Docker images (i.e., Ingress Tool Transfer, Build Image on Host), run containers (i.e., Deploy Container), or execute commands inside running containers (i.e., Container Administration Command). In some cases, threat actors may pull legitimate images that include scripts or tools that they can leverage - for example, using an image that includes the curl command to download payloads.(Citation: Intezer) Adversaries may also utilize docker inspect and docker ps to scan for cloud environment variables and other running containers (i.e., Container and Resource Discovery).(Citation: Cisco Talos Blog)(Citation: aquasec)
Kubernetes is responsible for the management and orchestration of containers across clusters. The Kubernetes control plane, which manages the state of the cluster and is responsible for scheduling, communication, and resource monitoring, can be invoked directly via the API or indirectly via CLI tools such as kubectl. It may also be accessed within client libraries such as Go or Python. By utilizing the API, administrators can interact with resources within the cluster such as listing or creating pods, which is a group of one or more containers. Adversaries call the API server via curl or other tools, allowing them to obtain further information about the environment such as pods, deployments, daemonsets, namespaces, or sysvars.(Citation: aquasec) They may also run various commands regarding resource management.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) | Attack Pattern | Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) | Attack Pattern | 1 |