T1543.005: Container Service

Container Service matters because a container runtime or cluster agent can become a persistence and privilege-escalation mechanism, not just an application platform component. If an attacker can create or modify Docker/Podman services, kubelet-adjacent behavior, Kubernetes DaemonSets, or node-targeted pods, they may keep workloads running across restarts or place containers onto selected nodes. For leaders, the key question is whether container administration is governed and monitored like privileged system administration.

Executive priority

Prioritize this where containers or Kubernetes support business-critical services. The risk is operational resilience and privileged access: persistent containers or cluster-wide DaemonSets can survive normal cleanup and may affect current and future nodes. Executives should ask whether container runtime access, Kubernetes workload creation, and node-level scheduling changes are controlled, logged, reviewed, and available as incident evidence.

Technical view

This is a Containers-platform sub-technique under Create or Modify System Process for persistence and privilege escalation. SOC and IR teams should validate visibility into container runtime activity such as Docker or Podman service/container restart behavior, Kubernetes workload creation and modification, DaemonSets, and pod specs that target nodes through nodeSelector or nodeName. Because ATT&CK provides no official detection text, use the related detection strategy DET0473 as direction: look for persistent or elevated container services created through runtime or cluster manipulation, then tune against expected administrative automation.

Likely telemetry

Container runtime logs and events for Docker or Podman container creation, modification, restart policy changes, and privileged runtime use
Host process or command execution records involving container management tools where collected
Kubernetes API server audit logs for DaemonSet, Pod, and workload creation or modification
Kubernetes object state and change history for DaemonSets, pod specs, nodeSelector, and nodeName fields
Node-level service/configuration evidence for container runtime or kubelet-related changes

Detection direction

Confirm whether DET0473-style logic is implemented for persistent or elevated container services rather than assuming generic endpoint rules cover containers.
Baseline legitimate platform automation that creates DaemonSets, restart-always containers, or node-targeted pods to reduce false positives.
Alert on unexpected changes that make containers persistent across restarts or deploy workloads broadly across nodes, especially DaemonSets and explicit node targeting.
Correlate runtime events with identity context: which user, service account, or automation modified the container service or Kubernetes object.
Review blind spots around unmanaged nodes, rootful Docker access, missing Kubernetes audit logging, and container runtime activity that is not forwarded to the SOC.

Mitigation priorities

Apply User Account Management by limiting who can use container runtimes and Kubernetes workload-management capabilities, following least privilege.
Apply Software Configuration controls to harden container runtime, Kubernetes, kubelet, and workload settings against unnecessary persistent or privileged execution paths.
Review and approve DaemonSets, restart policies, node-targeting fields, and systemd-managed container configurations as privileged changes.
Maintain incident-response runbooks for identifying and removing unauthorized persistent containers, DaemonSets, and node-targeted pods.
Use change control and periodic review to ensure container service persistence mechanisms match approved operational requirements.

Analyst notes and limits

The object is a sub-technique of T1543 Create or Modify System Process and is scoped to Containers with persistence and privilege-escalation tactics. Relationship context includes DET0473 as a detection strategy and mitigations M1018 User Account Management and M1054 Software Configuration. The official description supports Docker, Podman, Kubernetes DaemonSets, nodeSelector/nodeName scheduling, and containers configured as systemd services.

ATT&CK does not provide official detection text for this object, and the supplied relationship details do not include full detection logic. Local architecture determines the most important evidence sources, especially whether Kubernetes audit logs, runtime logs, host process telemetry, and configuration history are retained. This take does not assert active exploitation, attribution, or existing detection coverage.

Official MITRE ATT&CK definition

Container Service

Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.

For example, by using the `docker run` or `podman run` command with the `restart=always` directive, a container can be configured to persistently restart on the host.[1] A user with access to the (rootful) docker command may also be able to escalate their privileges on the host.[2]

In Kubernetes environments, DaemonSets allow an adversary to persistently Deploy Containers on all nodes, including ones added later to the cluster.[3][4] Pods can also be deployed to specific nodes using the `nodeSelector` or `nodeName` fields in the pod spec.[5][6]

Note that containers can also be configured to run as Systemd Services.[7][8]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1543	Create or Modify System Process	This object subtechnique of Create or Modify System Process.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1054: Software Configuration Enterprise subtechnique of · Technique T1543: Create or Modify System Process Enterprise detects · Detection Strategy DET0473: Detect persistent or elevated container services via container runtime or cluster manipulation Enterprise mitigates · Mitigation M1018: User Account Management Enterprise

Mitigations

Mitigation direction

M1054: Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

- Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

- Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

- Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

- Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

- Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

- Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies.

*Tools for Implementation*

Configuration Management Tools:

- Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

- CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

- Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

- Splunk: Aggregates and analyzes application logs to detect suspicious activity.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Feb 15, 2024, 13:41 UTC (UTC+00:00)
Modified: Apr 15, 2025, 22:10 UTC (UTC+00:00)
Raw hash: a24dbbc55e387806...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 15, 2025, 22:10 UTC (UTC+00:00)	Current bundle	`a24dbbc55e38…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
AquaSec TeamTNT 2023

Ofek Itach and Assaf Morag. (2023, July 13). TeamTNT Reemerged with New Aggressive Cloud Campaign. Retrieved February 15, 2024.
Open source URL
[2]
GTFOBins Docker

GTFOBins. (n.d.). docker. Retrieved February 15, 2024.
Open source URL
[3]
Aquasec Kubernetes Attack 2023

Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
Open source URL
[4]
Kubernetes DaemonSet

Kubernetes. (n.d.). DaemonSet. Retrieved February 15, 2024.
Open source URL
[5]
Kubernetes Assigning Pods to Nodes

Kubernetes. (n.d.). Assigning Pods to Nodes. Retrieved February 15, 2024.
Open source URL
[6]
AppSecco Kubernetes Namespace Breakout 2020

Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.
Open source URL
[7]
Podman Systemd

Valentin Rothberg. (2022, March 16). How to run pods as systemd services with Podman. Retrieved February 15, 2024.
Open source URL
[8]
Docker Systemd

Docker. (n.d.). Start containers automatically. Retrieved February 15, 2024.
Open source URL
[9]
mitre-attack T1543.005
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams