Container and Resource Discovery (T1613)

Information

• Name: Container and Resource Discovery

• ID: T1613

• Tactics:

Introduction

Container and Resource Discovery is a technique categorized under the "Discovery" tactic within the MITRE ATT&CK framework. It involves adversaries enumerating containers, container orchestration systems, and related resources within cloud-native environments to gain a deeper understanding of their target environment. This technique helps attackers identify valuable assets, sensitive data, potential vulnerabilities, and opportunities to escalate privileges or expand their access.

Deep Dive Into Technique

Attackers leveraging Container and Resource Discovery typically perform detailed enumeration of containerized environments, including Docker containers, Kubernetes clusters, and cloud container services. Technical execution methods and mechanisms include:

• Enumeration Commands and APIs:

  • Utilizing Docker CLI commands such as docker ps, docker images, and docker inspect to list running containers, images, and configurations.

  • Leveraging Kubernetes commands (kubectl get pods, kubectl describe pods, kubectl get namespaces) for cluster inspection.

  • Querying cloud APIs (AWS ECS, EKS, Azure AKS, Google GKE) to discover container services, namespaces, and resource configurations.

• Accessing Container Metadata:

  • Accessing container metadata endpoints (e.g., AWS ECS Task Metadata, Kubernetes API server endpoints) to obtain sensitive configuration details, credentials, and environment variables.

  • Exploiting misconfigured container runtimes or insecure APIs that expose internal container information.

• Network Scanning and Discovery:

  • Scanning internal networks within containerized environments to discover other containers, nodes, services, and exposed ports.

  • Mapping container network namespaces and overlay networks to identify adjacent systems and potential pivot points.

• Inspection of Container Registries:

  • Enumerating container registries (Docker Hub, Amazon Elastic Container Registry, Azure Container Registry) to identify available container images, tags, and associated metadata.

  • Analyzing registry permissions and access control configurations to find potential vulnerabilities or misconfigurations.

Real-world adversaries often automate these enumeration activities using custom scripts, open-source tools (e.g., kube-hunter, kubeletctl, kubeaudit), and cloud-native reconnaissance frameworks.

When this Technique is Usually Used

Container and Resource Discovery is typically employed in various attack scenarios and stages, including:

• Initial Reconnaissance and Discovery:

  • Attackers perform initial enumeration after gaining minimal access to containerized environments to map the infrastructure and identify valuable targets.

  • Identifying container orchestration platforms, namespaces, and container images during early stages of attack.

• Privilege Escalation and Lateral Movement:

  • Enumerating container resources to identify misconfigured containers or services that allow privilege escalation or lateral movement.

  • Discovering sensitive credentials and tokens stored in environment variables, metadata services, or configuration files.

• Persistence and Data Exfiltration:

  • Identifying persistent storage volumes, shared resources, and backup containers to establish persistence or exfiltrate sensitive information.

  • Discovering containerized databases, caches, and sensitive services for data extraction.

• Preparation for Further Attacks:

  • Mapping container infrastructure and identifying critical services to prepare targeted attacks such as denial-of-service, cryptomining, or ransomware deployment.

  • Enumerating container registries and repositories to identify vulnerable container images for supply chain attacks.

How this Technique is Usually Detected

Detection of Container and Resource Discovery involves monitoring and analyzing containerized environments using dedicated tools, logging mechanisms, and security frameworks. Common detection methods, tools, and indicators of compromise (IoCs) include:

• Container Runtime and Orchestration Logs:

  • Monitoring Docker daemon logs, Kubernetes audit logs, and container runtime logs for suspicious enumeration commands and API calls.

  • Detecting unusual or unauthorized access to Kubernetes API servers, Docker daemons, or container registries.

• Network Monitoring and Anomaly Detection:

  • Using network monitoring tools (e.g., Falco, Sysdig, Aqua Security, Twistlock/Prisma Cloud) to detect unusual scanning patterns, network enumeration, or internal reconnaissance activities.

  • Identifying unexpected network traffic between containers, nodes, or external entities.

• Behavioral Analytics and Baseline Monitoring:

  • Implementing behavioral analytics and anomaly detection solutions to identify deviations from normal usage patterns, such as unusual container enumeration commands, API queries, or metadata endpoint access.

  • Detecting abnormal access patterns to sensitive container resources, namespaces, or configuration files.

• Endpoint Detection and Response (EDR) and Container Security Tools:

  • Deploying container-specific security solutions (e.g., CrowdStrike Falcon Container, Aqua Security, Trend Micro Deep Security) to detect unusual enumeration behaviors, suspicious command execution, or unauthorized resource access.

  • Using open-source tools (e.g., kube-hunter, kubeaudit, kube-bench) to proactively detect misconfigurations and vulnerabilities exploited during enumeration.

Specific Indicators of Compromise (IoCs) include:

• High volume of enumeration commands (docker ps, docker inspect, kubectl get pods) from unusual sources or at irregular intervals.

• Unauthorized access attempts to container metadata endpoints or Kubernetes API servers.

• Unusual API calls to cloud container services (AWS ECS/EKS, Azure AKS, GCP GKE).

• Detection of reconnaissance tools or scripts (e.g., kube-hunter, kubeletctl) executed within container environments.

Why it is Important to Detect This Technique

Detecting Container and Resource Discovery early is critical due to its potential impact on systems and networks:

• Privilege Escalation and Unauthorized Access:

  • Attackers may discover sensitive credentials, tokens, or misconfigurations that enable privilege escalation, lateral movement, or unauthorized access to critical containerized resources.

• Data Breaches and Exfiltration:

  • Enumeration of container resources can lead to identification and extraction of sensitive data, intellectual property, or confidential information stored within containerized environments.

• Resource Hijacking and Abuse:

  • Attackers may discover container resources suitable for deploying cryptomining malware, botnets, or malicious workloads that consume excessive resources and degrade system performance.

• Supply Chain Attacks:

  • Discovery of container registries and vulnerable container images can enable attackers to compromise the software supply chain, leading to widespread security incidents.

• Operational Disruption and Denial-of-Service:

  • Attackers may leverage discovered container resources and infrastructure insights to disrupt critical services, orchestrate denial-of-service attacks, or cause operational outages.

Early detection enables security teams to mitigate threats quickly, minimize damage, and prevent attackers from escalating their access and causing significant harm.

Examples

Real-world examples of Container and Resource Discovery attacks, scenarios, tools used, and impacts include:

• Tesla Kubernetes Cluster Breach (2018):

  • Attackers gained access to Tesla's Kubernetes cluster due to misconfigured Kubernetes dashboards.

  • Used enumeration techniques (kubectl commands) to discover sensitive resources and deployed cryptomining malware.

  • Impact: Unauthorized cryptomining activities, resource abuse, and potential exposure of sensitive data.

• Shopify Bug Bounty Discovery (2020):

  • Security researchers discovered misconfigured Kubernetes clusters within Shopify infrastructure.

  • Used Kubernetes enumeration tools (kubectl, metadata endpoint queries) to identify sensitive internal resources.

  • Impact: Potential exposure of internal infrastructure and sensitive data (promptly mitigated through responsible disclosure).

• Microsoft Azure Container Instances Vulnerability (2021):

  • Researchers identified vulnerabilities allowing attackers to enumerate and access other customers' container resources in Azure Container Instances (ACI).

  • Leveraged enumeration techniques, metadata endpoint queries, and API calls to discover sensitive container resources and data.

  • Impact: Potential cross-tenant data exposure and unauthorized access (Microsoft mitigated promptly upon disclosure).

• Hildegard Malware Campaign (2021):

  • Attackers targeted Kubernetes clusters, leveraging container enumeration commands (kubectl, docker) and misconfigured APIs to discover vulnerable containers.

  • Deployed cryptomining malware and established persistent access within containerized environments.

  • Impact: Resource hijacking, unauthorized cryptomining activities, and potential lateral movement within affected clusters.

These examples highlight the critical importance of securing container environments, monitoring for enumeration activities, and promptly addressing vulnerabilities and misconfigurations.