Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as
docker execto execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such askubectl exec.(Citation: Kubectl Exec Get Shell)
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| namespace | K8s namespace to use | String | default |
| command | Command to run | String | uname |
kubectl create -f src/busybox.yaml -n #{namespace}
kubectl exec -n #{namespace} busybox -- #{command}kubectl delete pod busybox -n #{namespace}