Threat actors may deploy a container into an environment to facilitate execution or evade defenses. In some cases, Threat actors may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.