T1609: T1609

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 29/03/2021 18:39 · Modified 08/05/2026 11:21

Essential information

MITRE technique ID: T1609
Confidence: 100/100
Revoked: No
Published: 29/03/2021 18:39
Modified: 08/05/2026 11:21
Author / Source: The MITRE Corporation

Aliases

Container Administration Command

Platforms

Containers

Description

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as `docker exec` to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as `kubectl exec`.(Citation: Kubectl Exec Get Shell)

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Kubernetes API
mitre-attack (T1609)
Kubernetes Kubelet
Kubectl Exec Get Shell
Docker Exec
Docker Daemon CLI
Docker Entrypoint

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (8)

Cloud Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamTNT uses

The MITRE Corporation Confidence 100

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Doppelgänger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-5394 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (18)

MoonPeak uses

Family
Ngioweb uses

Family
Morte uses

Family
Zergeca uses

Family
RondoDox uses

Family
Cl Wiper uses

Family
Siloscape uses
PCPJack uses

Family
XenoRAT uses

Family
SSHDoor uses

Family
Mirai uses

Family
reconshark uses

Family

← Previous

Page / 2

1–12 of 18

How to defend ARM64 cloud infrastructure related

1 CVE 10 MITREs 1 Observable
PCPJack | Cloud Worm Evicts TeamPCP and Steals … related

AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
MoonPeak malware unveils new details on attacker infrastructure related

20 MITREs 3 Malwares 42 Observables 1 APT
2024 OLYMPICS-THEMED DOMAINS USED FOR CHINESE GAMBLING SITES related

6 MITREs 7 Observables
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks related

15 MITREs 2 Malwares 64 Observables 1 APT
Increased Activity Against Apache OFBiz CVE-2024-32113 related

1 CVE 3 MITREs 5 Observables
Mid-year Doppelganger information operations in Europe and the … related

19 MITREs 200 Observables 1 APT
Global Outage - Threat Actor Activity and Risk … related

8 MITREs 30 Observables
New Threat: A Deep Dive Into the Zergeca … related

10 MITREs 1 Malware 13 Observables
Attackers exploiting new critical vulnerabilities on Kubernetes clusters related

12 MITREs 6 Observables
Void Manticore Destructive Activities in Israel related

10 MITREs 2 Malwares 1 APT
Romance Scams Urging Investment related

9 MITREs 3 Observables

← Previous

Page / 2

1–12 of 13

Vulnerabilities (CVE) (14)

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2026-46316 targets

9.3 Critical

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0002 (P4.8%)
Published: 09/06/2026
Modified: 09/06/2026

Received

CVE-2023-20273 KEV targets

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2025-9501 targets

9.0 Critical

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute …

Attack vector: NETWORK
Published: 17/11/2025
Modified: 08/05/2026

Awaiting Analysis

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2026-1357 targets

9.8 Critical

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …

Attack vector: Network
Published: 11/02/2026
Modified: 08/05/2026

Awaiting Analysis

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2018-0171 KEV targets

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2025-48703 KEV targets

9.0 Critical

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell …

Attack vector: Network
Published: 04/11/2025
Modified: 08/05/2026

Received

CVE-2025-29927 targets

9.1 Critical

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Received

CVE-2024-32113 targets

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users …

Published: 08/05/2024
Modified: 08/05/2024

Awaiting Analysis

← Previous

Page / 2

1–12 of 14

Privileged Account Management mitigates
Execution Prevention mitigates
User Account Management mitigates
Limit Access to Resource Over Network mitigates
Disable or Remove Feature or Program mitigates

Tool (1)

Peirates uses

The MITRE Corporation Confidence 100

[Peirates](https://attack.mitre.org/software/S0683) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and…

Contact About Legal notice Privacy policy Terms of use

T1609: T1609

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (8)

Malware (18)

Reports (13)

Vulnerabilities (CVE) (14)

Course Of Action (5)

Tool (1)