<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

MITRE ATT&CK Matrix for Kubernetes

These pages cover what Magalix is, how to get started using it, and reference materials for its features and supported cloud providers.

Get started quickly, and get all your questions answered now!

Talk to an Expert

    Execution

    MITRE ATTACK - Execution

    Overview

    This second tactic describes an attacker’s various techniques to run malicious code inside a Kubernetes cluster to achieve some objective. To run this code, they may start a new pod, gain access to a running pod, or exploit an application vulnerability.

    Exec Into Container

    An attacker could use the exec command kubectl exec to remotely run malicious commands in cluster containers. If they have permissions, they may use legitimate images, such as an OS image as a backdoor container, to execute malicious code and compromise resources within a cluster.

    MITRE ATTACK - Exec Into ContainerMITRE ATTACK - Exec Into ContainerMITRE ATTACK - Exec Into Container

    Bash/CMD Inside Container

    In this technique, an attacker with permissions could run a bash script inside a container to execute malicious code and compromise cluster resources.

    New Container

    A threat actor with permissions may use malicious code in the Kubernetes cluster by deploying a container. They may deploy a new pod or a controller in the cluster, such as Deployments, DaemonSets, or ReplicaSets. They can then create a new resource to execute their malicious code and compromise cluster resources.

    MITRE ATTACK - New ContainerMITRE ATTACK - New ContainerMITRE ATTACK - New ContainerMITRE ATTACK - New ContainerMITRE ATTACK - New Container

    MITRE ATTACK - New Container

    Application Exploit (RCE)

    Applications in some clusters may contain a vulnerability that allows for remote code execution. Attackers may exploit this vulnerability to execute malicious code in the cluster. They may also compromise other resources in the cluster, access sensitive data on metadata servers, or cause a DoS attack. If the service account is mounted to the container, they may use its credentials to send requests to the kubelet read-only API server.

    MITRE ATTACK - Application Exploit (RCE)MITRE ATTACK - Application Exploit (RCE)MITRE ATTACK - Application Exploit (RCE)MITRE ATTACK - Application Exploit (RCE)

    SSH Server Running Inside Container

    An SSH (Secure Socket Shell) server running inside a container is vulnerable to threat actors. If an attacker gains credentials to that container by brute force or phishing, they may remotely access the container to run malicious code and compromise resources.

    MITRE ATTACK - SSH Server Running Inside Container

    Sidecar Injection

    A sidecar container is an additional container that resides alongside the main container and shares storage and network resources with other containers in a Kubernetes pod. Attackers may inject a sidecar container into a legitimate Kubernetes pod in the cluster to run their malicious code and hide their activity.

    arrow