👩‍💻 Kubenomicon. • Интересный проект в стиле MITRE ATTACK для Kubernetes, который ориентирован на наступательную безопасность. С акцентом на то, как использовать каждую атаку. • Initial access: ➡Using cloud credentials; ➡Compromised image In registry; ➡Kubeconfig file; ➡Application vulnerability; ➡Exposed sensitive interfaces; ➡SSH server running inside container. • Execution: ➡Exec inside container; ➡New container; ➡Application exploit (RCE); ➡Sidecar injection. • Persistence: ➡Backdoor container; ➡Writable hostPath mount; ➡Kubernetes cronjob; ➡Malicious admission controller; ➡Container service account; ➡Static pods. • Privilege escalation: ➡Privileged container; ➡Cluster-admin binding; ➡hostPath mount; ➡Access cloud resources. • Defense evasion: ➡Clear container logs; ➡Delete events; ➡Pod name similarity; ➡Connect from proxy server. • Credential access: ➡List K8S secrets; ➡Access node information; ➡Container service account; ➡Application credentials in configuration files; ➡Access managed identity credentials; ➡Malicious admission controller. • Discovery: ➡Access Kubernetes API server; ➡Access Kubelet API; ➡Network mapping; ➡Exposed sensitive interfaces; ➡Instance Metadata API. • Lateral movement: ➡Access cloud resources; ➡Container service account; ➡Cluster internal networking; ➡Application credentials in configuration files; ➡Writable hostPath mount; ➡CoreDNS poisoning; ➡ARP poisoning and IP spoofing. • Collection: ➡Images from a private registry; ➡Collecting data from pod. • Impact: ➡Data destruction; ➡Resource hijacking; ➡Denial of service. • Fundamentals: ➡Nodes; ➡Services; ➡etcd; ➡RBAC; ➡Kubelet; ➡Namespaces; ➡Secrets; ➡Interesting Files. S.E. ▪️ infosec.work ▪️ VT