216.73.217.22

T1552.007: T1552.007

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/04/2026 16:58

Essential information

MITRE technique ID
T1552.007
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/04/2026 16:58
Author / Source
The MITRE Corporation

Aliases

Container API

Platforms

Containers

Description

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

Kill chain phases

Kill chainPhase
mitre-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.