attack_technique: T1609
display_name: Kubernetes Exec Into Container
atomic_tests:
- name: ExecIntoContainer
  auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b
  description: |
    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
  supported_platforms:
  - containers
  input_arguments:
    namespace:
      description: K8s namespace to use
      type: string
      default: default
    command:
      description: Command to run
      type: string
      default: uname
    path:
      description: Path to busybox.yaml file
      type: string
      default: $PathtoAtomicsFolder/T1609/src/busybox.yaml  
  dependencies:
  - description: |
      kubectl must be installed
    get_prereq_command: |
      echo "kubectl must be installed manually"
    prereq_command: |
      which kubectl
  executor:
    command: |
      kubectl create -f #{path} -n #{namespace}
      # wait 3 seconds for the instance to come up
      sleep 3
      kubectl exec -n #{namespace} busybox -- #{command}
    cleanup_command: |
      kubectl delete pod busybox -n #{namespace}
    name: bash
    elevation_required: false
- name: Docker Exec Into Container
  auto_generated_guid: 900e2c49-221b-42ec-ae3c-4717e41e6219
  description: |
    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.

  supported_platforms:
  - containers
  dependencies:
  - description: |
      docker must be installed
    get_prereq_command: |
      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
    prereq_command: |
      which docker
  executor:
    command: |
      docker build -t t1609  $PathtoAtomicsFolder/T1609/src/ 
      docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
      docker exec -i t1609_container bash -c "cat /tmp/output.txt"
    cleanup_command: |
      docker stop t1609_container
      docker rmi -f t1609:latest 
    name: bash
    elevation_required: false