MITRE ATT&CK Technique
Description
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-31T14:01:52.321Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may gather credentials via APIs within a '
'containers environment. APIs in these environments, such as '
'the Docker API and Kubernetes APIs, allow a user to remotely '
'manage their container resources and cluster '
'components.(Citation: Docker API)(Citation: Kubernetes API)\n'
'\n'
'An adversary may access the Docker API to collect logs that '
'contain credentials to cloud, container, and various other '
'resources in the environment.(Citation: Unit 42 Unsecured '
'Docker Daemons) An adversary with sufficient permissions, '
"such as via a pod's service account, may also use the "
'Kubernetes API to retrieve credentials from the Kubernetes '
'API server. These credentials may include those needed for '
'Docker API authentication or secrets from Kubernetes cluster '
'components. ',
'external_references': [{'external_id': 'T1552.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1552/007'},
{'description': 'Chen, J.. (2020, January 29). '
"Attacker's Tactics and Techniques in "
'Unsecured Docker Daemons Revealed. '
'Retrieved March 31, 2021.',
'source_name': 'Unit 42 Unsecured Docker Daemons',
'url': 'https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/'},
{'description': 'Docker. (n.d.). Docker Engine API '
'v1.41 Reference. Retrieved March 31, '
'2021.',
'source_name': 'Docker API',
'url': 'https://docs.docker.com/engine/api/v1.41/'},
{'description': 'The Kubernetes Authors. (n.d.). The '
'Kubernetes API. Retrieved March 29, '
'2021.',
'source_name': 'Kubernetes API',
'url': 'https://kubernetes.io/docs/concepts/overview/kubernetes-api/'}],
'id': 'attack-pattern--f8ef3a62-3f44-40a4-abca-761ab235c436',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:38.351Z',
'name': 'Container API',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)',
'Jay Chen, Palo Alto Networks',
'Yossi Weizman, Azure Defender Research Team'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers'],
'x_mitre_version': '1.2'}