2. Malicious Execution on the Kubernetes Cluster – ATT&CK® Matrix
MITRE’s ATT&CK®
Exec into container
Felons who have permissions can run malicious commands in containers in the cluster using exec command (“kubectl exec”).
Bash or Cmd inside Container
The adversary uses authentic images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
New Container
Critics may endeavour to run their code in the cluster by deploying a container. Violators who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \ ReplicaSet\ Deployment) may build a new resource for running their code.
Application Exploit
After the application deployment in the cluster and if it is vulnerable to a remote code execution vulnerability, enables attackers to run code in the cluster. If the service account is mounted to the container (default behaviour in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.
SSH Server running inside the container
Attackers may use SSH server that is running inside a container. If attackers gain proper credentials to a container, whether by brute force efforts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.