Container Service

Information

• Name: Container Service

• ID: T1543.005

• Tactics: TA0003, TA0004

• Technique: T1543

Introduction

Container Service (T1543.005) is a sub-technique within the MITRE ATT&CK framework categorized under "Create or Modify System Process." It involves adversaries creating or manipulating container services, such as Docker or Kubernetes, to establish persistent access, execute malicious payloads, or escalate privileges. Containers offer adversaries a discrete and isolated environment, making detection and remediation challenging.

Deep Dive Into Technique

Adversaries leveraging Container Service (T1543.005) typically exploit container orchestration platforms and container runtimes to achieve persistence, lateral movement, or privilege escalation. The following technical methods and mechanisms are commonly observed:

• Creation of Malicious Containers:

  • Adversaries deploy malicious container images or modify existing ones to execute unauthorized code.

  • Malicious containers may run cryptominers, command-and-control (C2) agents, or other malware payloads.

• Modification of Container Configurations:

  • Attackers alter container runtime configurations, such as Docker daemon settings (daemon.json), to evade detection or gain privileged access.

  • Misconfigured container runtimes can allow host-level access, enabling attackers to escalate privileges.

• Abuse of Container Orchestration Platforms:

  • Attackers exploit Kubernetes or Docker Swarm to deploy unauthorized workloads.

  • Kubernetes manifests or Docker Compose files may be manipulated to launch malicious containers persistently.

• Privileged Containers:

  • Attackers may deploy containers with elevated privileges (--privileged flag), granting direct access to the host system devices and kernel.

  • Privileged containers can bypass isolation measures, enabling attackers to compromise the underlying host.

• Container Escape Techniques:

  • Attackers may leverage vulnerabilities within container runtimes or the Linux kernel to escape container isolation and gain host-level access.

  • Common techniques include exploitation of misconfigured volume mounts, namespaces, or cgroups.

When this Technique is Usually Used

Container Service (T1543.005) is typically employed during various stages of an attack lifecycle, including:

• Persistence:

  • Attackers deploy malicious containers to ensure continuous presence on compromised systems.

  • Container orchestration ensures automatic container restart, maintaining attacker foothold after system reboots.

• Privilege Escalation:

  • Exploiting privileged containers or container escape vulnerabilities to escalate from container-level access to host-level privileges.

• Execution:

  • Containers provide a convenient and isolated execution environment for attackers to run malicious payloads without detection.

• Lateral Movement:

  • Containers can be used to pivot across containerized environments, enabling attackers to spread within clustered infrastructure.

• Defense Evasion:

  • Containerized malware can evade traditional detection systems not designed to monitor containerized workloads effectively.

How this Technique is Usually Detected

Detection of Container Service (T1543.005) abuse requires specialized monitoring and analysis tools targeting container environments. Typical detection methods include:

• Runtime Monitoring and Logging:

  • Utilize container runtime logs (Docker daemon logs, Kubernetes audit logs) to identify suspicious container creation, configuration changes, or unauthorized workload deployments.

  • Monitor Docker events and Kubernetes API server audit logs for unusual container lifecycle events or unauthorized access attempts.

• Image Scanning and Integrity Verification:

  • Regularly scan container images for known vulnerabilities, malware signatures, and unauthorized modifications using tools like Clair, Anchore, or Trivy.

  • Implement image signature verification and policy enforcement to detect unauthorized or tampered container images.

• Behavioral Analysis and Anomaly Detection:

  • Implement container runtime security solutions (Falco, Aqua Security, Sysdig) to detect anomalous behavior, such as unexpected process execution, network connections, or privilege escalation attempts.

  • Baseline container activities and alert on deviations from normal operational behavior.

• Host-Based Detection:

  • Monitor host-level events for container escape attempts, suspicious kernel module loading, or unusual privilege escalations.

  • Audit Linux kernel logs, SELinux/AppArmor violations, and system call anomalies indicative of container escape attempts.

Indicators of Compromise (IoCs)

• Unexpected or unknown container images running on hosts.

• Containers running with privileged flags (--privileged) or elevated capabilities.

• Unusual container restart patterns or persistent unauthorized workloads.

• Suspicious volume mounts or host filesystem access from containers.

• Unauthorized Kubernetes manifests or Docker Compose files found on hosts.

Why it is Important to Detect This Technique

Early detection of Container Service (T1543.005) abuse is critical due to the significant potential impacts on organizations, including:

• Persistence and Stealth:

  • Containers allow attackers to maintain persistent and stealthy footholds, making detection and eradication challenging.

• Privilege Escalation:

  • Compromise of privileged containers can lead directly to host-level access and control over entire container clusters.

• Resource Abuse:

  • Attackers frequently deploy resource-intensive payloads (e.g., cryptominers) within containers, negatively impacting system performance and resource availability.

• Data Exfiltration and Compromise:

  • Containers compromised by attackers can serve as staging points for data exfiltration, severe data breaches, or ransomware deployment.

• Lateral Movement and Cluster Compromise:

  • Containerized environments often span multiple nodes and clusters, allowing attackers to spread laterally rapidly, compromising entire infrastructure.

Early detection and mitigation of malicious container activities significantly reduce the risk of full-scale compromise, data breaches, and service disruption.

Examples

Real-world examples of Container Service (T1543.005) abuse include:

• Doki Malware:

  • Attackers leveraged Docker APIs exposed to the internet to deploy malicious containers running cryptocurrency miners.

  • Doki malware dynamically fetched payloads from attacker-controlled servers, ensuring persistence and evasion.

• TeamTNT Group Attacks:

  • Attackers exploited misconfigured Docker daemons to deploy malicious containers running cryptominers and credential-stealing scripts.

  • Containers were configured with elevated privileges and host volume mounts, allowing lateral movement and host compromise.

• Hildegard Malware Campaign:

  • Attackers exploited Kubernetes clusters via misconfigured kubelets to deploy malicious containers.

  • Hildegard malware executed cryptominers, credential theft, and lateral movement scripts within compromised containers.

• Azure Kubernetes Service (AKS) Attacks:

  • Attackers compromised Kubernetes clusters hosted on Azure by exploiting vulnerable container images or misconfigured RBAC policies.

  • Malicious containers executed cryptominers and attempted lateral movement within the cloud environment.

These examples highlight the diverse attack scenarios, tools, and impacts associated with Container Service (T1543.005) abuse, emphasizing the importance of robust container security practices and monitoring.