Skip to content

Remove tools from container images


ID: MS-M9012
MITRE mitigation: M1042

Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9007 Bash or Cmd inside container Remove bash and other terminals from container images.
MS-TA9039 Resource hijacking Remove unused tools from the container image.