Backdoor container
Info
ID: MS-TA9012
Tactic: Persistence
MITRE technique: T1543
Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9003 | Adhere to least-privilege principle | Prevent unnecessary users and service accounts from creating new pods and controllers. |
| MS-M9013 | Restrict over permissive containers | Restrict over permissive containers in the cluster using admission controller. |
| MS-M9005.003 | Gate images deployed to Kubernetes cluster | Restrict deployment of new containers from trusted supply chain |