Home - Kubenomicon
1.
Initial access
1.1.
Using cloud credentials
1.2.
Compromised image In registry
1.3.
Kubeconfig file
1.4.
Application vulnerability
1.5.
Exposed sensitive interfaces
1.6.
SSH server running inside container
2.
Execution
2.1.
Exec inside container
2.2.
New container
2.3.
Application exploit (RCE) 🔗
2.4.
Sidecar injection
3.
Persistence
3.1.
Backdoor container
3.2.
Writable hostPath mount
3.3.
Kubernetes cronjob
3.4.
Malicious admission controller
3.5.
Container service account 🔗
3.6.
Static pods
4.
Privilege escalation
4.1.
Privileged container
4.2.
Cluster-admin binding
4.3.
hostPath mount 🔗
4.4.
Access cloud resources 🔗
5.
Defense evasion
5.1.
Clear container logs
5.2.
Delete events
5.3.
Pod name similarity
5.4.
Connect from proxy server
6.
Credential access
6.1.
List K8S secrets
6.2.
Access node information
6.3.
Container service account
6.4.
Application credentials in configuration files
6.5.
Access managed identity credentials
6.6.
Malicious admission controller 🔗
7.
Discovery
7.1.
Access Kubernetes API server
7.2.
Access Kubelet API
7.3.
Network mapping
7.4.
Exposed sensitive interfaces 🔗
7.5.
Instance Metadata API 🔗
8.
Lateral movement
8.1.
Access cloud resources 🔗
8.2.
Container service account 🔗
8.3.
Cluster internal networking
8.4.
Application credentials in configuration files 🔗
8.5.
Writable hostPath mount 🔗
8.6.
CoreDNS poisoning
8.7.
ARP poisoning and IP spoofing
9.
Collection
9.1.
Images from a private registry
9.2.
Collecting data from pod
10.
Impact
10.1.
Data destruction
10.2.
Resource hijacking
10.3.
Denial of service
11.
Fundamentals
11.1.
Nodes
11.2.
Services
11.3.
etcd
11.4.
RBAC
11.5.
Kubelet
11.6.
Namespaces
11.7.
Secrets
11.8.
Interesting Files
Contributing
Pentesting Kubernetes
Light
Rust
Coal
Navy
Ayu
The Kubenomicon
Defense evasion
The defense evasion tactic is a few ways that attackers can hide or obfuscate their tracks
Clear Container Logs
Delete Events
Pod Name Similarity
Connect From Proxy Server