Skip to content

Instantly share code, notes, and snippets.

@kimsyversen

kimsyversen/k8s-threat-matrix.md

Last active November 20, 2023 14:40
Show Gist options
  • Save kimsyversen/865f17458522a75b5d15037691192d94 to your computer and use it in GitHub Desktop.
Save kimsyversen/865f17458522a75b5d15037691192d94 to your computer and use it in GitHub Desktop.
Download ZIP
k8s-threat-matrix.md
Raw
k8s-threat-matrix.md

Tactics

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Impact
Using cloud credentials Exec into container Backdoor container Privileged container Clear container logs List K8S secrets Access Kubernetes API server Access cloud resources Images from a private registry Data destruction
Compromised image In registry bash/cmd inside container Writable hostPath mount Cluster-admin binding Delete K8S events Mount service principal Access Kubelet API Container service account Collecting data from pod Resource hijacking
Kubeconfig file New container Kubernetes CronJob hostPath mount Pod / container name similarity Container service account Network mapping Cluster internal networking Denial of service
Application vulnerability Application exploit (https://microsoft.github.io/Threat-Matrix-for-Kubernetes/RCE) Malicious admission controller Access cloud resources Connect from proxy server Application credentials in configuration files Exposed sensitive interfaces Application credentials in configuration files
Exposed sensitive interfaces SSH server running inside container Container service account Access managed identity credentials Instance Metadata API Writable hostPath mount
Sidecar injection Static pods Malicious admission controller CoreDNS poisoning
ARP poisoning and IP spoofing

Initial Access

The initial access tactic consists of techniques that are used for gaining access to the resource. In containerized environments, those techniques enable first access to the cluster. This access can be achieved directly via the cluster management layer or, alternatively, by gaining access to a malicious or vulnerable resource that is deployed on the cluster.

ID Name
MS-TA9001 Using cloud credentials
MS-TA9002 Compromised image in registry
MS-TA9003 Kubeconfig file
MS-TA9004 Application vulnerability
MS-TA9005 Exposed sensitive interfaces

Execution

The execution tactic consists of techniques that are used by attackers to run their code inside a cluster.

ID Name
MS-TA9006 Exec into container
MS-TA9007 bash/cmd inside container
MS-TA9008 New container
MS-TA9009 Application exploit (RCE)
MS-TA9010 SSH server running inside container
MS-TA9011 Sidecar injection

Persistence

The persistence tactic consists of techniques that are used by attackers to keep access to the cluster in case their initial foothold is lost.

ID Name
MS-TA9012 Backdoor container
MS-TA9013 Writable hostPath mount
MS-TA9014 Kubernetes CronJob
MS-TA9015 Malicious admission controller
MS-TA9016 Container service account
MS-TA9017 Static pods

Privilege Escalation

The privilege escalation tactic consists of techniques that are used by attackers to get higher privileges in the environment than those they currently have. In containerized environments, this can include getting access to the node from a container, gaining higher privileges in the cluster, and even getting access to the cloud resources.

ID Name
MS-TA9018 Privileged container
MS-TA9019 Cluster-admin binding
MS-TA9013 hostPath mount
MS-TA9020 Access cloud resources

Defense Evasion

The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity.

ID Name
MS-TA9021 Clear container logs
MS-TA9022 Delete K8S events
MS-TA9023 Pod / container name similarity
MS-TA9024 Connect from proxy server

Credential Access

The credential access tactic consists of techniques that are used by attackers to steal credentials.

In containerized environments, this includes credentials of the running application, identities, secrets stored in the cluster, or cloud credentials.

ID Name
MS-TA9025 List K8S secrets
MS-TA9026 Mount service principal
MS-TA9016 Container service account
MS-TA9027 Application credentials in configuration files
MS-TA9028 Access managed identity credentials
MS-TA9015 Malicious admission controller

Discovery

The discovery tactic consists of techniques that are used by attackers to explore the environment to which they gained access. This exploration helps the attackers to perform lateral movement and gain access to additional resources.

ID Name
MS-TA9029 Access Kubernetes API server
MS-TA9030 Access Kubelet API
MS-TA9031 Network mapping
MS-TA9005 Exposed sensitive interfaces
MS-TA9033 Instance Metadata API

Lateral Movement

The lateral movement tactic consists of techniques that are used by attackers to move through the victim’s environment. In containerized environments, this includes gaining access to various resources in the cluster from a given access to one container, gaining access to the underlying node from a container, or gaining access to the cloud environment.

ID Name
MS-TA9020 Access cloud resources
MS-TA9016 Container service account
MS-TA9034 Cluster internal networking
MS-TA9027 Application credentials in configuration files
MS-TA9013 Writable hostPath mount
MS-TA9035 CoreDNS poisoning
MS-TA9036 ARP poisoning and IP spoofing

Collection

Collection in Kubernetes consists of techniques that are used by attackers to collect data from the cluster or through using the cluster.

ID Name
MS-TA9037 Images from a private registry
MS-TA9041 Collecting data from pod

Impact

The Impact tactic consists of techniques that are used by attackers to destroy, abuse, or disrupt the normal behavior of the environment.

ID Name
MS-TA9038 Data destruction
MS-TA9039 Resource hijacking
MS-TA9040 Denial of service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment