T1059.013 Container CLI/API in MITRE ATT&CK Explained

What Is T1059.013 Container CLI/API in MITRE ATT&CK?

T1059.013 Container CLI/API is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the abuse of Command Line Interfaces (CLI) and Application Programming Interfaces (APIs) to manage and interact with containerized environments.

Containers are a fundamental part of modern infrastructure, enabling scalable, isolated environments for application deployment. The CLI provides a command-line interface for managing containers, including actions like starting, stopping, and configuring them, while the API allows programmatic access for remote management and automation of containerized applications. Both interfaces are essential for managing containerized environments and can be leveraged to execute commands, orchestrate workflows, and automate operations across systems.

To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.

Adversary Use of T1059.013 Container CLI/API

Adversaries exploit the CLI and API techniques to gain unauthorized access and control over containerized environments. Containers, which package applications and their dependencies in isolated environments, are commonly used in modern infrastructure due to their scalability and efficiency.

Adversary Use:

• Execution of Malicious Commands: Attackers can use container CLI/API to execute commands within a containerized environment. By interacting with the CLI or API, adversaries can run malicious scripts or deploy payloads within the container to achieve their objectives.
• Lateral Movement: Once inside a container, attackers can use these interfaces to move laterally within the infrastructure. They may attempt to exploit weaknesses in the container's security settings or gain access to other containers or underlying systems.
• Bypass of Security Controls: Many containers may be deployed with minimal security configurations. Adversaries can exploit the CLI/API to bypass or disable security mechanisms, gaining elevated privileges within the container or host system.
• Persistence and Data Exfiltration: Attackers may use container APIs to install backdoors or schedule tasks that maintain access over time. They can also leverage these interfaces to exfiltrate sensitive data from the containerized environment.
• Abuse of Default Permissions: In some cases, containers might be configured with overly permissive API or CLI access, which adversaries can abuse to escalate privileges or execute harmful actions across multiple containers or host systems.

In essence, adversaries utilize the Container CLI/API technique to manipulate containers for a variety of malicious purposes, taking advantage of their inherent flexibility and, at times, insufficiently secured configurations.

Validate Your Defenses Against the Red Report 2026 Threats