T1609
Kubernetes Exec Into Container
Description from ATT&CK
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)
Atomic Tests
Atomic Test #1 - ExecIntoContainer
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
Supported Platforms: containers
auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| namespace | K8s namespace to use | string | default |
| command | Command to run | string | uname |
| path | Path to busybox.yaml file | string | $PathtoAtomicsFolder/T1609/src/busybox.yaml |
Attack Commands: Run with bash!
1
2
3
4
5
kubectl create -f #{path} -n #{namespace}
# wait 3 seconds for the instance to come up
sleep 3
kubectl exec -n #{namespace} busybox -- #{command}
Cleanup Commands:
1
2
kubectl delete pod busybox -n #{namespace}
Dependencies: Run with bash!
Description: kubectl must be installed
Check Prereq Commands:
1
2
which kubectl
Get Prereq Commands:
1
2
echo "kubectl must be installed manually"
Atomic Test #2 - Docker Exec Into Container
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.
Supported Platforms: containers
auto_generated_guid: 900e2c49-221b-42ec-ae3c-4717e41e6219
Inputs:
None
Attack Commands: Run with bash!
1
2
3
4
docker build -t t1609 $PathtoAtomicsFolder/T1609/src/
docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
docker exec -i t1609_container bash -c "cat /tmp/output.txt"
Cleanup Commands:
1
2
3
docker stop t1609_container
docker rmi -f t1609:latest
Dependencies: Run with bash!
Description: docker must be installed
Check Prereq Commands:
1
2
which docker
Get Prereq Commands:
1
2
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi