<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">
weaveworks_logo_headerstrip
magalix_logo_headerstrip

Weaveworks 2022.03 release featuring Magalix PaC | Learn more

MITRE ATT&CK Matrix for Kubernetes

These pages cover what Magalix is, how to get started using it, and reference materials for its features and supported cloud providers.

Get started quickly, and get all your questions answered now!

Talk to an Expert

    Defense Evasion

    MITRE ATTACK - Defense Evasion

    Overview

    This tactic consists of four techniques that attackers may use to conceal their activities and avoid detection. To mitigate the threats engendered by such defense evasion techniques, it’s essential to monitor all Kubernetes pods, including those not created by using a Kubernetes controller.

    Clear Container Logs

    Logs on the container runtime or operating system capture an attacker’s activity within compromised containers. The attacker may delete these logs to prevent their activities from being detected.

    Delete K8s (Kubernetes) Events

    Kubernetes audit logs provide a chronological record of any state changes, failures, and security-relevant activities/changes occurring on the resources in a cluster. This log is a Kubernetes object or “event.” Examples of Kubernetes events include pod scheduling on a node, container creation, and image pull. Attackers may delete these audit logs to avoid detection of their activities in the cluster.

    Pod/Container Name Similarity

    Pods created by controllers such as Deployments or DaemonSets may have a random suffix in their names. Attackers can leverage this possibility to create an unauthorized “backdoor” pod within the cluster and name it with a random suffix. In effect, they obfuscate the presence of this unauthorized pod that can be used to run malicious code or gain access to cluster resources. They may also deploy their containers in the kube-system namespace where the administrative containers reside.

    Connect From Proxy Server

    Attackers may use proxy servers or anonymous networks to hide their IP addresses and conceal their network origin. Often, they use anonymous networks like TOR (The Onion Router) to communicate with applications or the API server.

    arrow