216.73.216.6

T1609: T1609

View on MITRE ATT&CK The MITRE Corporation · Published 29/03/2021 18:39 · Modified 08/05/2026 11:21

Essential information

MITRE technique ID
T1609
Confidence
100/100
Revoked
No
Published
29/03/2021 18:39
Modified
08/05/2026 11:21
Author / Source
The MITRE Corporation

Aliases

Container Administration Command

Platforms

Containers

Description

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as `docker exec` to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as `kubectl exec`.(Citation: Kubectl Exec Get Shell)

Kill chain phases

Kill chainPhase
mitre-attack execution

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.