1. Home
  2. Techniques
  3. Enterprise
  4. Container and Resource Discovery

Container and Resource Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.[1][2] In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

ID: T1613
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Containers
Permissions Required: User
Contributors: Center for Threat-Informed Defense (CTID); Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.0
Created: 31 March 2021
Last Modified: 12 April 2021

Procedure Examples

ID Name Description
S0601 Hildegard

Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers.[3]

S0683 Peirates

Peirates can enumerate Kubernetes pods in a given namespace.[4]
G0139 TeamTNT

TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.[5]

Mitigations

ID Mitigation Description
M1035 Limit Access to Resource Over Network

Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.[6][7]
M1030 Network Segmentation

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
M1018 User Account Management

Enforce the principle of least privilege by limiting dashboard visibility to only the required users.

Detection

ID Data Source Data Component
DS0032 Container Container Enumeration
DS0014 Pod Pod Enumeration

Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level.

Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications.

References

  1. Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.
  2. The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
  3. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  4. InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
  1. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  2. Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
  3. The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.