diff --git a/docs/reference/attacks/POD_CREATE.md b/docs/reference/attacks/POD_CREATE.md index 0280352d..ceadd949 100644 --- a/docs/reference/attacks/POD_CREATE.md +++ b/docs/reference/attacks/POD_CREATE.md @@ -13,7 +13,7 @@ mitreAttackTactic: TA0002 - Execution Create a pod with significant privilege (`CAP_SYSADMIN`, `hostPath=/`, etc) and schedule on a target node via setting the `nodeName` selector. -| Source | Destination | MITRE | +| Source | Destination | MITRE ATT&CK | | --------------------------------------------- | --------------------------- | ---------------------------------------------------------------------------------------- | | [PermissionSet](../entities/permissionset.md) | [Node](../entities/node.md) | [Container Orchestration Job, T1053.007](https://attack.mitre.org/techniques/T1053/007/) | diff --git a/docs/reference/attacks/POD_EXEC.md b/docs/reference/attacks/POD_EXEC.md index 746169cf..b67ea72c 100644 --- a/docs/reference/attacks/POD_EXEC.md +++ b/docs/reference/attacks/POD_EXEC.md @@ -13,7 +13,7 @@ mitreAttackTactic: TA0002 - Execution With the correct privileges an attacker can use the Kubernetes API to obtain a shell on a running pod. -| Source | Destination | MITRE | +| Source | Destination | MITRE ATT&CK | | --------------------------------------------- | ------------------------- | ------------------------------------------------------------------------------------- | | [PermissionSet](../entities/permissionset.md) | [Pod](../entities/pod.md) | [Container Administration Command, T1609](https://attack.mitre.org/techniques/T1609/) | diff --git a/docs/reference/attacks/POD_PATCH.md b/docs/reference/attacks/POD_PATCH.md index dac34e03..995c8f64 100644 --- a/docs/reference/attacks/POD_PATCH.md +++ b/docs/reference/attacks/POD_PATCH.md @@ -13,8 +13,8 @@ mitreAttackTactic: TA0002 - Execution With the correct privileges an attacker can use the Kubernetes API to modify certain properties of an existing pod and achieve code execution within the pod -| Source | Destination | MITRE | -| --------------------------------------------- | ------------------------- | -------------------------------------------------------------------- | +| Source | Destination | MITRE ATT&CK | +| --------------------------------------------- | ------------------------- | ------------------------------------------------------------------------------------- | | [PermissionSet](../entities/permissionset.md) | [Pod](../entities/pod.md) | [Container Administration Command, T1609](https://attack.mitre.org/techniques/T1609/) | ## Details diff --git a/docs/reference/attacks/ROLE_BIND.md b/docs/reference/attacks/ROLE_BIND.md index 8b84dac1..b7ca50e3 100644 --- a/docs/reference/attacks/ROLE_BIND.md +++ b/docs/reference/attacks/ROLE_BIND.md @@ -14,9 +14,9 @@ coverage: Partial A role that grants permission to create or modify `(Cluster)RoleBindings` can allow an attacker to escalate privileges on a compromised user. -| Source | Destination | MITRE | -| ----------------------------------------- | ------------------------------------- |----------------------------------| -| [PermissionSet](../entities/permissionset.md) | [PermissionSet](../entities/permissionset.md) | [Valid Accounts, T1078](https://attack.mitre.org/techniques/T1078/) | +| Source | Destination | MITRE ATT&CK | +| --------------------------------------------- | --------------------------------------------- | ------------------------------------------------------------------- | +| [PermissionSet](../entities/permissionset.md) | [PermissionSet](../entities/permissionset.md) | [Valid Accounts, T1078](https://attack.mitre.org/techniques/T1078/) | !!! warning @@ -66,12 +66,12 @@ But, the PermissionSet object is created only if a role is linked by a rolebindi So some of the usecases are not fully covered: -| Usecase #| Coverage | Limitation description| -|------|-------|---------| -| 1 | Full | N/A | -| 2 | Limited | All the PermissionSet that are not namespaced are linked to a single specific namespace. Yet, this attack allow to bind a role to any namespace. Therefore, we would need to create additional PermissionSet for every namespace if we want to fully cover the attack| -| 3 | Full | N/A | -| 4 | None | To cover this usecase, we need duplicate a non-namespaced PermissionSet to a namespace one. | +| Usecase # | Coverage | Limitation description | +| --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 1 | Full | N/A | +| 2 | Limited | All the PermissionSet that are not namespaced are linked to a single specific namespace. Yet, this attack allow to bind a role to any namespace. Therefore, we would need to create additional PermissionSet for every namespace if we want to fully cover the attack | +| 3 | Full | N/A | +| 4 | None | To cover this usecase, we need duplicate a non-namespaced PermissionSet to a namespace one. | ### Limitation of the can-i Kubernetes API diff --git a/docs/reference/attacks/SHARE_PS_NAMESPACE.md b/docs/reference/attacks/SHARE_PS_NAMESPACE.md index 7ef2b200..ef109663 100644 --- a/docs/reference/attacks/SHARE_PS_NAMESPACE.md +++ b/docs/reference/attacks/SHARE_PS_NAMESPACE.md @@ -11,8 +11,8 @@ mitreAttackTactic: TA0008 - Lateral Movement # SHARE_PS_NAMESPACE -| Source | Destination | MITRE | -| --------------------------- | ------------------------------------- |----------------------------------| +| Source | Destination | MITRE ATT&CK | +| ------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------- | | [Container](../entities/container.md) | [Container](../entities/container.md) | [Taint Shared Content, T1080](https://attack.mitre.org/techniques/T1080/) | Represents a relationship between containers within the same pod that share a process namespace. diff --git a/docs/reference/attacks/TOKEN_BRUTEFORCE.md b/docs/reference/attacks/TOKEN_BRUTEFORCE.md index f4c6b402..5d235ab3 100644 --- a/docs/reference/attacks/TOKEN_BRUTEFORCE.md +++ b/docs/reference/attacks/TOKEN_BRUTEFORCE.md @@ -11,8 +11,8 @@ mitreAttackTactic: TA0006 - Credential Access # TOKEN_BRUTEFORCE -| Source | Destination | MITRE | -| ----------------------------------------- | ------------------------------------- |----------------------------------| +| Source | Destination | MITRE ATT&CK | +| --------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------- | | [PermissionSet](../entities/permissionset.md) | [Identity](../entities/identity.md) | [Steal Application Access Token, T1528](https://attack.mitre.org/techniques/T1528/) | An identity with a role that allows *get* on secrets (vs list) can potentially view all the serviceaccount tokens in a specific namespace or in the whole cluster (with ClusterRole). diff --git a/docs/reference/attacks/TOKEN_LIST.md b/docs/reference/attacks/TOKEN_LIST.md index 4b275776..1ef3b4a7 100644 --- a/docs/reference/attacks/TOKEN_LIST.md +++ b/docs/reference/attacks/TOKEN_LIST.md @@ -11,8 +11,8 @@ mitreAttackTactic: TA0006 - Credential Access # TOKEN_LIST -| Source | Destination | MITRE | -| ----------------------------------------- | ------------------------------------- |----------------------------------| +| Source | Destination | MITRE ATT&CK | +| --------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------- | | [PermissionSet](../entities/permissionset.md) | [Identity](../entities/identity.md) | [Steal Application Access Token, T1528](https://attack.mitre.org/techniques/T1528/) | An identity with a role that allows listing secrets can potentially view all the secrets in a specific namespace or in the whole cluster (with ClusterRole). diff --git a/docs/reference/attacks/TOKEN_STEAL.md b/docs/reference/attacks/TOKEN_STEAL.md index 4385041b..61b016e0 100644 --- a/docs/reference/attacks/TOKEN_STEAL.md +++ b/docs/reference/attacks/TOKEN_STEAL.md @@ -11,8 +11,8 @@ mitreAttackTactic: TA0006 - Credential Access # TOKEN_STEAL -| Source | Destination | MITRE | -| ----------------------------------------- | ------------------------------------- |----------------------------------| +| Source | Destination | MITRE ATT&CK | +| ------------------------------- | ----------------------------------- | -------------------------------------------------------------------------- | | [Volume](../entities/volume.md) | [Identity](../entities/identity.md) | [Unsecured Credentials, T1552](https://attack.mitre.org/techniques/T1552/) | This attack represents the ability to steal a K8s API token from an accessible volume. diff --git a/docs/reference/attacks/VOLUME_ACCESS.md b/docs/reference/attacks/VOLUME_ACCESS.md index faa039fb..474b31f8 100644 --- a/docs/reference/attacks/VOLUME_ACCESS.md +++ b/docs/reference/attacks/VOLUME_ACCESS.md @@ -11,8 +11,8 @@ mitreAttackTactic: TA0007 - Discovery # VOLUME_ACCESS -| Source | Destination | MITRE | -| ----------------------------------------- | ------------------------------------- |----------------------------------| +| Source | Destination | MITRE ATT&CK | +| -------------------------------- | ------------------------------- | ------------------------------------------------------------------------------------- | | [Node](../entities/container.md) | [Volume](../entities/volume.md) | [Container and Resource Discovery, T1613](https://attack.mitre.org/techniques/T1613/) | Represents an attacker with access to a node filesystem gaining access to any volumes mounted inside a container (by definition). diff --git a/docs/reference/attacks/VOLUME_DISCOVER.md b/docs/reference/attacks/VOLUME_DISCOVER.md index 90a8e348..1a2abe22 100644 --- a/docs/reference/attacks/VOLUME_DISCOVER.md +++ b/docs/reference/attacks/VOLUME_DISCOVER.md @@ -11,8 +11,8 @@ mitreAttackTactic: TA0007 - Discovery # VOLUME_DISCOVER -| Source | Destination | MITRE | -| ----------------------------------------- | ------------------------------------- |----------------------------------| +| Source | Destination | MITRE ATT&CK | +| ------------------------------------- | ------------------------------- | ------------------------------------------------------------------------------------- | | [Container](../entities/container.md) | [Volume](../entities/volume.md) | [Container and Resource Discovery, T1613](https://attack.mitre.org/techniques/T1613/) | Represents an attacker within a container discovering a mounted volume.