T1613
Container and Resource Discovery
Description from ATT&CK
Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.
These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.
Atomic Tests
Atomic Test #1 - Container and ResourceDiscovery
Adversaries may attempt to discover containers and other resources that are available within a containers environment.
Supported Platforms: containers
auto_generated_guid: 8a895923-f99f-4668-acf2-6cc59a44f05e
Inputs:
None
Attack Commands: Run with sh!
1
2
3
4
5
docker build -t t1613 $PathtoAtomicsFolder/T1613/src/
docker run --name t1613_container -d -t t1613
docker ps
docker stats --no-stream
docker inspect $(docker ps -l -q --filter ancestor=t1613)
Cleanup Commands:
1
2
docker stop t1613_container
docker rmi -f t1613_container
Dependencies: Run with sh!
Description: Verify docker is installed. Check Prereq Commands:
1
2
which docker
Get Prereq Commands:
1
2
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
Description: Verify docker service is running. Check Prereq Commands:
1
2
sudo systemctl status docker --no-pager
Get Prereq Commands:
1
2
sudo systemctl start docker