MITRE ATT&CK Technique
Execution T1609
Description

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)

Supported Platforms
Containers
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2021-03-29T16:39:26.183Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse a container administration service to '
                'execute commands within a container. A container '
                'administration service such as the Docker daemon, the '
                'Kubernetes API server, or the kubelet may allow remote '
                'management of containers within an environment.(Citation: '
                'Docker Daemon CLI)(Citation: Kubernetes API)(Citation: '
                'Kubernetes Kubelet)\n'
                '\n'
                'In Docker, adversaries may specify an entrypoint during '
                'container deployment that executes a script or command, or '
                'they may use a command such as <code>docker exec</code> to '
                'execute a command within a running container.(Citation: '
                'Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if '
                'an adversary has sufficient permissions, they may gain remote '
                'execution in a container in the cluster via interaction with '
                'the Kubernetes API server, the kubelet, or by running a '
                'command such as <code>kubectl exec</code>.(Citation: Kubectl '
                'Exec Get Shell)',
 'external_references': [{'external_id': 'T1609',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1609'},
                         {'description': 'Docker. (n.d.). Docker Exec. '
                                         'Retrieved March 29, 2021.',
                          'source_name': 'Docker Exec',
                          'url': 'https://docs.docker.com/engine/reference/commandline/exec/'},
                         {'description': 'Docker. (n.d.). Docker run '
                                         'reference. Retrieved March 29, 2021.',
                          'source_name': 'Docker Entrypoint',
                          'url': 'https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime'},
                         {'description': 'Docker. (n.d.). DockerD CLI. '
                                         'Retrieved March 29, 2021.',
                          'source_name': 'Docker Daemon CLI',
                          'url': 'https://docs.docker.com/engine/reference/commandline/dockerd/'},
                         {'description': 'The Kubernetes Authors. (n.d.). Get '
                                         'a Shell to a Running Container. '
                                         'Retrieved March 29, 2021.',
                          'source_name': 'Kubectl Exec Get Shell',
                          'url': 'https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/'},
                         {'description': 'The Kubernetes Authors. (n.d.). '
                                         'Kubelet. Retrieved March 29, 2021.',
                          'source_name': 'Kubernetes Kubelet',
                          'url': 'https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/'},
                         {'description': 'The Kubernetes Authors. (n.d.). The '
                                         'Kubernetes API. Retrieved March 29, '
                                         '2021.',
                          'source_name': 'Kubernetes API',
                          'url': 'https://kubernetes.io/docs/concepts/overview/kubernetes-api/'}],
 'id': 'attack-pattern--7b50a1d3-4ca7-45d1-989d-a6503f04bfe1',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'execution'}],
 'modified': '2025-10-24T17:48:59.945Z',
 'name': 'Container Administration Command',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Alfredo Oliveira, Trend Micro',
                          'David Fiser, @anu4is, Trend Micro',
                          'Brad Geesaman, @bradgeesaman',
                          'Center for Threat-Informed Defense (CTID)',
                          'Magno Logan, @magnologan, Trend Micro',
                          'Vishwas Manral, McAfee',
                          'Yossi Weizman, Azure Defender Research Team'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Containers'],
 'x_mitre_version': '1.3'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (1)
TeamTNT
High
Back to TTPs
Dashboard About