<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

MITRE ATT&CK Matrix for Kubernetes

These pages cover what Magalix is, how to get started using it, and reference materials for its features and supported cloud providers.

Get started quickly, and get all your questions answered now!

Talk to an Expert

    Persistence

    MITRE ATTACK - Persistence

    Overview

    Attackers use persistence techniques to retain access to a Kubernetes cluster and maintain a presence within it, even if they lose their initial foothold. To do this, they may take advantage of Kubernetes controllers, mount a file to a container, or run recurring Kubernetes jobs.

    Backdoor Container

    An attacker could utilize Kubernetes controllers like DaemonSets or Deployments to ensure that a constant number of containers are always running in one or all nodes of the cluster. They may execute malicious code in a cluster container.

    Writeable hostPath Mount

    The hostPath volume mounts a file or directory from the host to the container. If the attacker has permission to create a new container in the cluster, they may do so with a writable hostPath volume. This allows them to persist on the underlying container host, for example, by creating a cron job on the host.

    MITRE ATTACK - Writeable hostPath MountMITRE ATTACK - Writeable hostPath Mount

    Kubernetes CronJob

    A Kubernetes Job controller creates one or more pods to accomplish a specific task. It also ensures that a specified number of pods terminate successfully. It may be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob creates Jobs on a recurring schedule. An attacker can leverage CronJob to schedule the execution of malicious code, which would run as a container in a cluster.

    Malicious Admission Controller

    A threat actor may use a malicious admission controller in Kubernetes to access credentials. One such controller is ValidatingAdmissionWebhook, a generic, built-in controller whose behavior is determined by an admission webhook deployed in the cluster. Attackers may use this webhook to intercept sensitive information like requests to the API server, and to record secrets.

    arrow