Deploy Container

Information

• Name: Unknown

• ID: T1609.001

• Tactics:

Introduction

Deploy Container (T1609.001) is a sub-technique within the MITRE ATT&CK framework under the broader Container Administration Command (T1609) technique category. This sub-technique involves adversaries deploying malicious containers within compromised environments. Containers are lightweight, standalone executable software packages that encapsulate applications and their dependencies. Attackers leverage container deployment to execute unauthorized code, escalate privileges, evade defenses, and establish persistence within cloud, virtual, or containerized environments.

Deep Dive Into Technique

Deploy Container (T1609.001) involves adversaries utilizing container orchestration platforms or container runtime engines to launch malicious containers. Containers are typically deployed through container runtimes such as Docker, containerd, CRI-O, or through orchestrators such as Kubernetes, Docker Swarm, and OpenShift.

Technical execution methods and mechanisms include:

• Container Runtime Abuse:

  • Attackers may directly interact with container runtime APIs or command-line interfaces (CLIs) such as Docker CLI (docker run), containerd (ctr run), or CRI-O (crictl run) to deploy malicious containers.

  • Malicious containers can be deployed with privileged settings (--privileged) to gain elevated access to the host system.

• Container Orchestration Abuse:

  • Attackers may exploit compromised Kubernetes clusters or other orchestration platforms to deploy malicious workloads via YAML manifests or JSON definitions.

  • Malicious deployments may involve creating new Pods, DaemonSets, or Deployments within Kubernetes environments, allowing attackers to scale malicious activities across multiple nodes.

• Image Pulling from Malicious Registries:

  • Attackers may instruct compromised systems to pull container images from attacker-controlled registries, typically hosted externally or within compromised internal registries.

  • Malicious images may contain backdoors, cryptocurrency miners, credential harvesters, or other malicious payloads.

• Evading Detection and Establishing Persistence:

  • Containers can be ephemeral and easily destroyed or recreated, helping attackers evade detection.

  • Attackers may deploy containers that automatically restart upon termination, ensuring persistent footholds within compromised environments.

When this Technique is Usually Used

Attack scenarios and stages where Deploy Container (T1609.001) is typically observed include:

• Initial Access and Execution:

  • Adversaries may exploit container runtime or orchestration platform misconfigurations, vulnerabilities, or weak authentication mechanisms to deploy malicious containers as their initial foothold.

• Privilege Escalation:

  • Malicious containers may be deployed with elevated privileges, allowing attackers to escalate privileges from containerized environments to underlying host systems.

• Persistence:

  • Containers can be configured to restart automatically, providing attackers persistent access even after system restarts or container termination.

• Defense Evasion:

  • Deploying malicious containers can help attackers evade traditional endpoint security solutions, as containers often run in isolated environments and may not be thoroughly scanned or monitored.

• Resource Hijacking and Cryptomining:

  • Attackers deploy containers containing cryptocurrency mining software, consuming compute resources from compromised environments.

• Lateral Movement and Data Exfiltration:

  • Malicious containers may be deployed to facilitate lateral movement across containerized clusters or to exfiltrate data from internal networks to external attacker-controlled servers.

How this Technique is Usually Detected

Detection methods, tools, and specific indicators of compromise (IoCs) for Deploy Container (T1609.001) include:

• Monitoring Container Runtime Logs and Commands:

  • Monitor container runtime logs (Docker daemon logs, containerd logs) for unusual container creation or execution commands.

  • Identify suspicious command-line parameters, such as --privileged, unusual image repositories, or unexpected container names.

• Monitoring Container Orchestration Events:

  • Monitor Kubernetes audit logs or orchestration platform event logs for suspicious Pod deployments, DaemonSets, or Deployments originating from unknown or unauthorized users or service accounts.

  • Detect deployments referencing external or unknown container registries.

• Image Registry Monitoring:

  • Monitor network traffic to external container registries or unknown repositories.

  • Track container image pulls from unusual or untrusted registries.

• Behavioral Anomaly Detection:

  • Detect containers exhibiting unusual resource usage (CPU, memory spikes) indicative of cryptomining or other malicious activity.

  • Monitor containers performing unexpected network activity, such as outbound connections to unknown IP addresses or domains.

• File Integrity and Container Image Scanning:

  • Implement container image scanning tools (such as Clair, Anchore, or Aqua Security) to detect vulnerabilities or malicious payloads within deployed container images.

  • Establish baselines for expected container images and detect deviations from approved images.

Indicators of Compromise (IoCs):

• Unrecognized container images or repositories.

• Containers running with privileged permissions (--privileged).

• Unusual network connections originating from containers.

• Sudden spikes in container resource utilization (CPU, memory).

• Unexpected container deployments outside of normal operational schedules.

Why it is Important to Detect This Technique

Detecting Deploy Container (T1609.001) is crucial due to its potential severe impacts on systems and networks, including:

• Privilege Escalation and Host Compromise:

  • Malicious containers with privileged access can compromise underlying host systems, leading to full system compromise and further lateral movement.

• Resource Exhaustion and Denial of Service:

  • Malicious containers performing cryptomining or intensive processing tasks can exhaust system resources, degrade performance, and cause denial-of-service conditions.

• Data Breach and Exfiltration:

  • Containers can facilitate covert data exfiltration, resulting in sensitive data loss, regulatory fines, and reputational damage.

• Persistence and Defense Evasion:

  • Containers provide attackers persistent footholds that are difficult to detect and remove, complicating incident response and remediation efforts.

• Propagation and Lateral Movement:

  • Malicious containers can propagate laterally, compromising multiple nodes or clusters, significantly increasing the attack surface and remediation complexity.

Early detection minimizes damage, reduces remediation costs, and limits attackers' ability to escalate privileges, spread laterally, or exfiltrate data.

Examples

Real-world examples and attack scenarios involving Deploy Container (T1609.001):

• TeamTNT Malware Campaigns:

  • Attackers deployed malicious containers containing cryptocurrency miners and credential-stealing scripts.

  • Leveraged Docker APIs exposed without authentication to deploy containers across multiple compromised hosts.

  • Impact: Resource hijacking, credential theft, lateral movement, and persistent footholds.

• Doki Malware:

  • Attackers deployed malicious containers via compromised Docker APIs and Kubernetes clusters.

  • Containers executed cryptomining software and established backdoors for persistent access.

  • Impact: Resource exhaustion, persistent backdoor access, and lateral movement within containerized environments.

• Graboid Worm:

  • Attackers deployed malicious containers across vulnerable Docker hosts using unsecured Docker APIs.

  • Containers performed cryptomining and propagated laterally by scanning for additional vulnerable hosts.

  • Impact: Rapid lateral propagation, resource hijacking, and persistent footholds across multiple hosts.

• Hildegard Malware:

  • Attackers exploited Kubernetes misconfigurations to deploy malicious containers containing cryptominers and reverse shells.

  • Containers ran with privileged permissions, enabling host compromise and lateral movement.

  • Impact: Privilege escalation, host compromise, cryptomining, and persistent footholds in Kubernetes clusters.

These examples demonstrate the critical need for robust detection and monitoring of container deployments, runtime activities, and orchestration events to mitigate threats associated with Deploy Container (T1609.001).