security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update enterprise att&ck and build docs

Browse Source
This commit is contained in:
Will Urbanski
2021-05-20 12:29:56 -06:00
parent a464b3e144
commit 41d83e93f1
5 changed files with 55755 additions and 11123 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomic_red_team/enterprise-attack.json
+55593 -11122
View File
File diff suppressed because it is too large Load Diff
atomics/T1053.007/T1053.007.md
+75
View File
@@ -0,0 +1,75 @@
# T1053.007 - Container Orchestration Job
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/007)
<blockquote>Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in the cluster.(Citation: Threat Matrix for Kubernetes)</blockquote>
## Atomic Tests
- [Atomic Test #1 - ListCronjobs](#atomic-test-1---listcronjobs)
- [Atomic Test #2 - CreateCronjob](#atomic-test-2---createcronjob)
<br/>
## Atomic Test #1 - ListCronjobs
Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
**Supported Platforms:** Linux, macOS
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| namespace | K8s namespace to list | String | default|
#### Attack Commands: Run with `bash`!
```bash
kubectl get cronjobs -n #{namespace}
```
<br/>
<br/>
## Atomic Test #2 - CreateCronjob
Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
**Supported Platforms:** Linux, macOS
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| namespace | K8s namespace to list | String | default|
#### Attack Commands: Run with `bash`!
```bash
kubectl create -f src/cronjob.yaml -n #{namespace}
```
#### Cleanup Commands:
```bash
kubectl delete cronjob art -n #{namespace}
```
<br/>
atomics/T1053.007/T1053.007.yaml
+1 -1
View File
@@ -1,4 +1,4 @@
attack_technique: T8062
attack_technique: T1053.007
display_name: Kubernetes Cronjob
atomic_tests:
- name: ListCronjobs
atomics/T1552.007/T1552.007.md
+40
View File
@@ -0,0 +1,40 @@
# T1552.007 - Container API
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552/007)
<blockquote>Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)
An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. </blockquote>
## Atomic Tests
- [Atomic Test #1 - ListSecrets](#atomic-test-1---listsecrets)
<br/>
## Atomic Test #1 - ListSecrets
A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.
**Supported Platforms:** macOS, Linux
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| namespace | K8s namespace to list | String | default|
#### Attack Commands: Run with `bash`!
```bash
kubectl get secrets -n #{namespace}
```
<br/>
atomics/T1609/T1609.md
+46
View File
@@ -0,0 +1,46 @@
# T1609 - Container Administration Command
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1609)
<blockquote>Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)</blockquote>
## Atomic Tests
- [Atomic Test #1 - ExecIntoContainer](#atomic-test-1---execintocontainer)
<br/>
## Atomic Test #1 - ExecIntoContainer
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
**Supported Platforms:** Linux, macOS
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| namespace | K8s namespace to use | String | default|
| command | Command to run | String | uname|
#### Attack Commands: Run with `bash`!
```bash
kubectl create -f src/busybox.yaml -n #{namespace}
kubectl exec -n #{namespace} busybox -- #{command}
```
#### Cleanup Commands:
```bash
kubectl delete pod busybox -n #{namespace}
```
<br/>