T1552.007.md

T1552.007 - Container API

Description from ATT&CK

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

Atomic Tests

• Atomic Test #1 - ListSecrets

• Atomic Test #2 - Cat the contents of a Kubernetes service account token file

Atomic Test #1 - ListSecrets

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

Supported Platforms: macOS, Linux

Inputs:

Name	Description	Type	Default Value
namespace	K8s namespace to list	String	default

Attack Commands: Run with bash!

kubectl get secrets -n #{namespace}

Atomic Test #2 - Cat the contents of a Kubernetes service account token file

Access the Kubernetes service account access token stored within a container in a cluster.

Supported Platforms: Linux

Attack Commands: Run with sh!

kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token

Cleanup Commands:

kubectl --context kind-atomic-cluster delete pod atomic-pod

Dependencies: Run with sh!

Description: Verify docker is installed.

Check Prereq Commands:

which docker 

Get Prereq Commands:

if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi

Description: Verify docker service is running.

Check Prereq Commands:

sudo systemctl status docker 

Get Prereq Commands:

sudo systemctl start docker

Description: Verify kind is in the path.

Check Prereq Commands:

which kind 

Get Prereq Commands:

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
mv kind /usr/bin/kind

Description: Verify kind-atomic-cluster is created

Check Prereq Commands:

sudo kind get clusters 

Get Prereq Commands:

sudo kind create cluster --name atomic-cluster

Description: Verify kubectl is in path

Check Prereq Commands:

which kubectl 

Get Prereq Commands:

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
mv kubectl /usr/bin/kubectl

Description: Verify atomic-pod is running.

Check Prereq Commands:

kubectl --context kind-atomic-cluster get pods |grep atomic-pod 

Get Prereq Commands:

kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity