Containers Matrix
This page summaries the Mitre Att&ck matrix for containers.
What’s Mitre Att&ck ?
ATT&CK is a knowledge base of adversarial techniques based on real-world observations. ATT&CK focuses on how adversaries interact with systems during an operation, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
Before You Continue…
The goal is not to achieve 100% coverage. Not every box applies to everyone. Prioritize the boxes that are most relevant to you and ensure you are prepared for them.
Flag On Just because you have identified a single way an adversary has done a technique, doesn’t mean it’s time to declare success and color a box green. Adversaries have multiple ways they can perform most techniques. Look for and understand other ways a technique may be accomplished.
Flag On Adversaries may have a series of other behaviors they use that have not been documented yet. Don’t limit yourself to the matrix. Remember the ATT&CK matrix only documents observed real-world behaviors.
The Matrix
The matrix is split here by type of techniques for more visibility and information.
In italic, the mitigations that come back the most
Initial Access
| Techniques | Mitigation | Detection |
|---|---|---|
| Exploit Public Facing Application | - App Isolation & Sandboxing - Exploit Protection - Network Segmentation - Privileged Account Management - Update Software -Vulnerability Scanning | - App Log - Network Traffic |
| External Remote Services | - Disable or Remove Feature or Program - Limit Access to Resource Over Network - Multi-factor Authentication - Network Segmentation | - App Log - Network Traffic - Logon Session |
| Valid Accounts | - Account Use Policies - Active Directory Configuration - Application Developer Guidance - Password Policies - Privileged Account Management - User Account Management - User Training | - Logon Session - User Account |
Execution
| Techniques | Mitigation | Detection |
|---|---|---|
| Container Administration Command | - Disable or Remove Feature or Program - Execution Prevention - Limit Access to Resource Over Network - Privileged Account Management - User Account Management | - Command Execution - Process Creation |
| Deploy Container | - Audit - Limit Access to Resource Over Network - Network Segmentation - User Account Management | - Application Log - Container Creation / Start - Pod Creation / Modification |
| Scheduled Task/Job | - Audit - OS configuration - Privileged Account Management - Restrict File and Directory Permissions - User Account Management | - Command Execution - Container Creation - File Creation / Modification - Process Creation - Scheduled Job Creation |
| User Execution | - Behavior Prevention Endpoint - Execution Prevention - Network Intrusion Prevention - Restrict Web-Based Content - User Training | - Application Log - Command Execution - Container Creation / Start - File Creation - Image Creation - Instance Creation / Start - Network Traffic - Process creation |
Persistence
| Techniques | Mitigation | Detection |
|---|---|---|
| Account Manipulation | - Multi-factor Authentication - Network Segmentation - OS configuration - Privileged Account Management - User Account Management | Active Directory - Command Execution - File Modification - Group Modification - Process Creation - User Account Modification |
| Create Account | - Multi-factor Authentication - Network Segmentation - OS configuration - Privileged Account Management | - Command Execution - Process Creation - User Account Modification |
| Create or Modify System process | - Audit - Behavior Endpoint Prevention - Code Singing - Limit Software Installation - OS Configuration - Privileged Account Management - Restrict File and Directory Permissions - Software Configuration - User Account Management | - Command Execution - Container Creation - Driver Load - File Creation / Modification - Process Creation / Execution - Service Creation / Modification - Windows Registry Key Creation / Modification |
| External Remote Services | - Disable or Remove Feature or Program - Limit Access to Resource Over Network - Multi-factor Authentication - Network Segmentation | - Application Log - Logon Session - Network Traffic |
| Implant External Image | - Audit - Code Signing - Privileged Account Management | Image Creation / Metadata / Modification |
| Scheduled Task/Job | - Audit - OS configuration - Privileged Account Management - Restrict File and Directory Permissions - User Account Management | - Command Execution - Container Creation - File Creation / Modification - Process Creation - Scheduled Job Creation |
| Valid Accounts | - Account Use Policies - Active Directory Configuration - Application Developer Guidance - Password Policies - Privileged Account Management - User Account Management - User Training | - Logon Session - User Account |
Privilege Escalation
| Techniques | Mitigation | Detection |
|---|---|---|
| Account Manipulation | - Multi-factor Authentication - Network Segmentation - OS configuration - Privileged Account Management - User Account Management | - Active Directory - Command Execution - File Modification - Group Modification - Process Creation - User Account Modification |
| Create or Modify System Process | - Audit - Behavior Endpoint Prevention - Code Singing - Limit Software Installation - OS Configuration - Privileged Account Management - Restrict File and Directory Permissions - Software Configuration - User Account Management | - Command Execution - Container Creation - Driver Load - File Creation / Modification - Process Creation / Execution - Service Creation / Modification - Windows Registry Key Creation / Modification |
| Escape to Host | - App Isolation and Sandboxing - Disable or Remove Feature or Program - Execution Prevention - Privileged Account Management | - Container Creation - Kernel - Process Creation / Execution - Volume Modification |
| Exploit for Privilege Escalation | - App Isolation and Sandboxing - Execution Prevention - Exploit Protection - Threat Intelligence Program - Update Software | - Driver Load - Process Creation |
| Scheduled Task/Job | - Audit - OS configuration - Privileged Account Management - Restrict File and Directory Permissions - User Account Management | - Command Execution - Container Creation - File Creation / Modification - Process Creation - Scheduled Job Creation |
| Valid Accounts | - Account Use Policies - Active Directory Configuration - Application Developer Guidance - Password Policies - Privileged Account Management - User Account Management - User Training | - Logon Session - User Account |
Defense Evasion
| Techniques | Mitigation | Detection |
|---|---|---|
| Build Image on Host | - Audit - Limit Access to Resource Over Network - Network Segmentation - Privileged Account Management | - Image Creation - Network Traffic |
| Deploy Container | - Audit - Limit Access to Resource Over Network - Network Segmentation - User Account Management | - App Log - Container Creation / Start - Pod Creation / Start |
| Impair Defenses | - Audit - Execution Prevention - Restrict File and Directory Permissions - Software Configuration - User Account Management | - Cloud Service Disable (logging) - Could Service Modification - Command Execution - Driver Load - File Deletion / Modification - Firewall Disable / Rule Modification - Process Execution / Creation / Termination - Script Execution - Host Status (health) - Service Metadata - User Account - Windows Registry Key Creation / Modification |
| Indicator Removal | - Encrypt Sensitive Data - Remote Data Storage - Restrict File and Directory Permissions | - App Log - Command Execution - File Deletion / Metadata / Modification - Firewall Rule Modification - Network Traffic - Process Creation - Scheduled Job Modification - User Account - Windows Registry Key Creation / Modification |
| Masquerading | - Antivirus / Antimalware - Behavior Prevention on Endpoint - Code Signing - Execution Prevention - Restrict File and Directory Permissions - User Training | - Command Execution - File Metadata / Modification - Image Metadata - Process Creation - Scheduled Job Metadata - Service Creation / Metadata |
| Use Alternative Authentication Material | - Active Directory Configuration - Application Developer Guidance - Audit - Password Policies - Privileged Account Management - User Account Management | - AD Credential Request - Application Log - Logon Session - User Account - Web Credential Usage |
| Valid Accounts | - Account Use Policies - Active Directory Configuration - Application Developer Guidance - Password Policies - Privileged Account Management - User Account Management - User Training | - Logon Session - User Account |
Credential Access
| Techniques | Mitigation | Detection |
|---|---|---|
| Brute force | - Account Use Policies - Multi-Factor Authentication - Password Policies - User Account Management | - App Log - Command Execution - User Account |
| Steal Application Token | - Audit - Restrict Web-Based Content - User Account Management - User Training | - Active Directory Object Modification - User Account Modification |
| Unsecured Credentials | - Active Directory Configuration - Audit - Encrypt Sensitive Information - Filter Network Traffic - Limit Access to Resource Over Network - OS Configuration - Password Policies - Privileged Account Management - Restrict File and Directory Permissions - Update Software - User Training | - App Log - Command Execution - File Access - Process Creation - User Account - Windows Registry Key Creation / Modification |
Discovery
| Techniques | Mitigation | Detection |
|---|---|---|
| Container and Resource Discovery | - Limit Access to Resource Over Network - Network Segmentation - User Account Management | - Container Enumeration - Pod Enumeration |
| Network Service Discovery | - Disable or Remove Feature or Program - Network Intrusion Prevention - Network Segmentation | Cloud Service Enumeration - Command Execution - Network Traffic |
| Permission Group Discovery | N/A | - App Log - Command Execution - Group Enumeration / Metadata - Process Creation |
Lateral Movement
| Techniques | Mitigation | Detection |
|---|---|---|
| Use Alternative Authentication Material | - Active Directory Configuration - Application Developer Guidance - Audit - Password Policies - Privileged Account Management - User Account Management | - AD Credential Request - Application Log - Logon Session - User Account - Web Credential Usage |
Impact
| Techniques | Mitigation | Detection |
|---|---|---|
| Data Destruction | Data Backup | - Cloud Storage Detection - Command Execution - File Deletion / Modification - Image Deletion - Instance Deletion - Process Creation - Snapshot Deletion - Volume Deletion |
| Endpoint Denial of Service | Filter Network Traffic | - App Log - Network Traffic - Host Status (health) |
| Inhibit System Recovery | - Data Backup - Execution Prevention - OS Configuration - User Account Management | - Cloud Storage Deletion - Command Execution - File Deletion - Process Creation - Service Metadata - Snapshot Deletion - Windows Registry Key Modification |
| Network Denial of Service | Filter Network Traffic | Network Traffic - Host Status (health) |
| Resource Hijacking | N/A | - Command Execution - File Creation - Network Traffic - Process Creation - Host Status (health) |