Skip to content

New container


ID: MS-TA9008
Tactic: Execution
MITRE technique: T1610

Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \ ReplicaSet\ Deployment) can create a new resource for running their code.


ID Mitigation Description
MS-M9003 Adhere to least-privilege principle Prevent unnecessary users and service accounts from creating new pods and controllers.
MS-M9013 Restrict over permissive containers Restrict over permissive containers in the cluster using admission controller.
MS-M9005.003 Gate images deployed to Kubenertes cluster Restrict deployment of new containers from trusted supply chain