EXPLORE

← Back to Explore

T1552.007

Container API

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficien...

Containers

13

Detections

3

Sources

0

Threat Actors

BY SOURCE

5elastic4sigma4splunk_escu

PROCEDURES (10)

Anomal4 detections

Auto-extracted: 4 detections for anomal

Container1 detections

Auto-extracted: 1 detections for container

Service1 detections

Auto-extracted: 1 detections for service

Container1 detections

Auto-extracted: 1 detections for container

Persist1 detections

Auto-extracted: 1 detections for persist

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

DETECTIONS (13)

Azure Arc Cluster Credential Access by Identity from Unusual Source

Azure Kubernetes Admission Controller

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

Google Cloud Kubernetes Admission Controller

Kubernetes Abuse of Secret by Unusual Location

Kubernetes Abuse of Secret by Unusual User Agent

Kubernetes Abuse of Secret by Unusual User Group

Kubernetes Abuse of Secret by Unusual User Name

Kubernetes Admission Controller Modification

Kubernetes Direct API Request via Curl or Wget

Kubernetes Secret Access via Unusual User Agent

Kubernetes Secret or ConfigMap Access via Azure Arc Proxy

Kubernetes Secrets Enumeration