Skip to content

Backdoor container


ID: MS-TA9012
Tactic: Persistence
MITRE technique: T1543

Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.


ID Mitigation Description
MS-M9003 Adhere to least-privilege principle Prevent unnecessary users and service accounts from creating new pods and controllers.
MS-M9013 Restrict over permissive containers Restrict over permissive containers in the cluster using admission controller.
MS-M9005.003 Gate images deployed to Kubernetes cluster Restrict deployment of new containers from trusted supply chain