EXPLORE

← Back to Explore

T1609

Container Administration Command

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <c...

Containers

26

Detections

2

Sources

1

Threat Actors

BY SOURCE

23elastic3sigma

PROCEDURES (16)

Privilege2 detections

Auto-extracted: 2 detections for privilege

Container2 detections

Auto-extracted: 2 detections for container

Persist2 detections

Auto-extracted: 2 detections for persist

Inject2 detections

Auto-extracted: 2 detections for inject

Credential2 detections

Auto-extracted: 2 detections for credential

Lateral2 detections

Auto-extracted: 2 detections for lateral

Container2 detections

Auto-extracted: 2 detections for container

Bypass2 detections

Auto-extracted: 2 detections for bypass

Token2 detections

Auto-extracted: 2 detections for token

Unusual2 detections

Auto-extracted: 2 detections for unusual

Token1 detections

Auto-extracted: 1 detections for token

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Unusual1 detections

Auto-extracted: 1 detections for unusual

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

THREAT ACTORS (1)

DETECTIONS (26)

Container Management Utility Execution Detected via Defend for Containers

Container Management Utility Run Inside A Container

Container Runtime CLI Execution with Suspicious Arguments

Direct Interactive Kubernetes API Request by Common Utilities

Direct Interactive Kubernetes API Request by Unusual Utilities

Direct Interactive Kubernetes API Request Detected via Defend for Containers

Docker Socket Enumeration

Forbidden Direct Interactive Kubernetes API Request

Interactive Exec Into Container Detected via Defend for Containers

Kubectl Apply Pod from URL

Kubernetes Ephemeral Container Added to Pod

Kubernetes Pod Exec Cloud Instance Metadata Access

Kubernetes Pod Exec Potential Reverse Shell

Kubernetes Pod Exec Sensitive File or Credential Path Access

Kubernetes Pod Exec with Curl or Wget to HTTPS

Kubernetes Potential Enumeration Activity

Kubernetes User Exec into Pod

Pod or Container Creation with Suspicious Command-Line

Potential Kubectl Masquerading via Unexpected Process

Potential Kubeletctl Execution

Potential Kubeletctl Execution Detected via Defend for Containers

Potential Remote Command Execution In Pod Container

Potential Sidecar Injection Into Running Deployment

Privileged Container Creation with Host Directory Mount

Privileged Docker Container Creation

Suspicious Container Runtime CLI Execution