MITRE ATT&CK
๐ TL ; DRโ
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Impact |
|---|---|---|---|---|---|---|---|---|---|
| Using Cloud credentials | Exec into container | Backdoor container | Privileged container | Clear container logs | List K8S secrets | Access the K8S API server | Access cloud resources | Images from a private registry | Data Destruction |
| Compromised images in registry | bash/cmd inside container | Writable hostPath mount | Cluster-admin binding | Delete K8S events | Mount service principal | Access Kubelet API | Container service account | Resource Hijacking | |
| Kubeconfig file | New container | Kubernetes CronJob | hostPath mount | Pod / container name similarity | Access container service account | Network mapping | Cluster internal networking | Denial of service | |
| Application vulnerability | Application exploit (RCE) | Malicious admission controller | Access cloud resources | Connect from Proxy server | Applications credentials in configuration files | Access Kubernetes dashboard | Applications credentials in configuration files | ||
| Exposed Dashboard | SSH server running inside container | Access managed identity credential | Instance Metadata API | Writable volume mounts on the host | |||||
| Exposed sensitive interfaces | Sidecar injection | Malicious admission controller | Access Kubernetes dashboard | ||||||
| Access tiller endpoint | |||||||||
| CoreDNS poisoning | |||||||||
| ARP poisoning and IP spoofing |
The MITRE ATT&CKยฎ (Adversarial Tactics, Techniques and Common Knowledge) framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. In this framework, here we cover the Tactics, Techniques, and Procedures (TTPs) to map Kubernetes Security risks and also the related Kubernetes Goat scenarios.
- Learn more about MITRE ATT&CK framework at https://attack.mitre.org
- Learn more about MITRE ATT&CK framework for Kubernetes at https://microsoft.github.io/Threat-Matrix-for-Kubernetes
๐ฅ Tactic - Initial Accessโ
The initial access tactic consists of techniques that are used for gaining access to the resource. In containerized environments, those techniques enable first access to the cluster. This access can be achieved directly via the cluster management layer or, alternatively, by gaining access to a malicious or vulnerable resource that is deployed on the cluster.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Using cloud credentials | |
| Compromised image in registry | โ Attacking private registry |
| Kubeconfig file | |
| Application vulnerability | โ SSRF in the Kubernetes (K8S) world โ DIND (docker-in-docker) exploitation |
| Exposed sensitive interfaces | โ NodePort exposed services |
๐ฅ Tactic - Executionโ
The execution tactic consists of techniques that are used by attackers to run their code inside a cluster.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Exec into container | โ Gaining environment information |
| bash/cmd inside container | โ Gaining environment information |
| New container | โ Hacker container preview |
| Application exploit (RCE) | โ DIND (docker-in-docker) exploitation |
| SSH server running inside container | |
| Sidecar injection |
๐ฅ Tactic - Persistenceโ
The persistence tactic consists of techniques that are used by attackers to keep access to the cluster in case their initial foothold is lost.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Backdoor container | โ Analyzing crypto miner container |
| Writable hostPath mount | โ Container escape to the host system |
| Kubernetes CronJob | โ Hidden in layers |
| Malicious admission controller | |
| Container service account | โ Helm v2 tiller to PwN the cluster - [Deprecated] โ RBAC least privileges misconfiguration |
| Static pods |
๐ฅ Tactic - Privilege Escalationโ
The privilege escalation tactic consists of techniques that are used by attackers to get higher privileges in the environment than those they currently have. In containerized environments, this can include getting access to the node from a container, gaining higher privileges in the cluster, and even getting access to the cloud resources.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Privileged container | โ Container escape to the host system |
| Cluster-admin binding | โ Helm v2 tiller to PwN the cluster - [Deprecated] |
| hostPath mount | โ Container escape to the host system |
| Access cloud resources | โ SSRF in the Kubernetes (K8S) world |
๐ฅ Tactic - Defense Evasionโ
The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Clear container logs | โ Container escape to the host system |
| Delete K8S events | โ Helm v2 tiller to PwN the cluster - [Deprecated] |
| Pod / container name similarity | โ Hacker container preview |
| Connect from proxy server |
๐ฅ Tactic - Credential Accessโ
The credential access tactic consists of techniques that are used by attackers to steal credentials. In containerized environments, this includes credentials of the running application, identities, secrets stored in the cluster, or cloud credentials.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| List K8S secrets | โ RBAC least privileges misconfiguration |
| Mount service principal | |
| Container service account | โ RBAC least privileges misconfiguration |
| Application credentials in configuration files | |
| Access managed identity credentials | |
| Malicious admission controller |
๐ฅ Tactic - Discoveryโ
The discovery tactic consists of techniques that are used by attackers to explore the environment to which they gained access. This exploration helps the attackers to perform lateral movement and gain access to additional resources.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Access Kubernetes API server | โ KubeAudit - Audit Kubernetes clusters |
| Access Kubelet API | โ Container escape to the host system |
| Network mapping | โ Kubernetes namespaces bypass |
| Exposed sensitive interfaces | โ Kubernetes namespaces bypass โ NodePort exposed services |
| Instance Metadata API | โ SSRF in the Kubernetes (K8S) world |
๐ฅ Tactic - Lateral Movementโ
The lateral movement tactic consists of techniques that are used by attackers to move through the victimโs environment. In containerized environments, this includes gaining access to various resources in the cluster from a given access to one container, gaining access to the underlying node from a container, or gaining access to the cloud environment.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Access cloud resources | โ SSRF in the Kubernetes (K8S) world |
| Container service account | |
| Cluster internal networking | โ Kubernetes namespaces bypass |
| Application credentials in configuration files | |
| Writable hostPath mount | โ Container escape to the host system |
| CoreDNS poisoning | |
| ARP poisoning and IP spoofing | โ Kubernetes namespaces bypass |
๐ฅ Tactic - Collectionโ
Collection in Kubernetes consists of techniques that are used by attackers to collect data from the cluster or through using the cluster.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Images from a private registry | โ Attacking private registry |
| Collecting data from pod | โ Gaining environment information |
๐ฅ Tactic - Impactโ
The Impact tactic consists of techniques that are used by attackers to destroy, abuse, or disrupt the normal behavior of the environment.
| ๐งฐ Techniques | ๐ Kubernetes Goat Scenarios |
|---|---|
| Data destruction | โ DIND (docker-in-docker) exploitation โ Container escape to the host system |
| Resource hijacking | โ DoS the Memory/CPU resources |
| Denial of service | โ DoS the Memory/CPU resources |