{
    "type": "bundle",
    "id": "bundle--83af10dc-f96a-42a5-9897-7ea55ce2009d",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-04-15T16:08:50.706Z",
            "name": "Container and Resource Discovery",
            "description": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment\u2019s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary\u2019s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. ",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "discovery"
                }
            ],
            "x_mitre_contributors": [
                "Vishwas Manral, McAfee",
                "Center for Threat-Informed Defense (CTID)",
                "Yossi Weizman, Azure Defender Research Team"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level.\n\nMonitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. ",
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Containers"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_data_sources": [
                "Container: Container Enumeration",
                "Pod: Pod Enumeration"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336",
            "created": "2021-03-31T14:26:00.848Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1613",
                    "external_id": "T1613"
                },
                {
                    "source_name": "Docker API",
                    "description": "Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.",
                    "url": "https://docs.docker.com/engine/api/v1.41/"
                },
                {
                    "source_name": "Kubernetes API",
                    "description": "The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.",
                    "url": "https://kubernetes.io/docs/concepts/overview/kubernetes-api/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}