add k8s tests

atomics/T8061/T8061.yaml

@@ -0,0 +1,19 @@
+attack_technique: T8061
+display_name: Kubernetes List Secrets
+atomic_tests:
+- name: ListSecrets
+  auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a
+  description: |
+    A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.
+  supported_platforms:
+  - kubernetes
+  input_arguments:
+    namespace:
+      description: K8s namespace to list
+      type: String
+      default: default
+  executor:
+    command: |
+      kubectl get secrets -n #{namespace}
+    name: bash
+    elevation_required: false

atomics/T8062/T8062.yaml

@@ -0,0 +1,41 @@
+attack_technique: T8062
+display_name: Kubernetes Cronjob
+atomic_tests:
+- name: ListCronjobs
+  auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
+  description: |
+    Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
+  supported_platforms:
+  - kubernetes
+  - linux
+  - macos
+  input_arguments:
+    namespace:
+      description: K8s namespace to list
+      type: String
+      default: default
+  executor:
+    command: |
+      kubectl get cronjobs -n #{namespace}
+    name: bash
+    elevation_required: false
+- name: CreateCronjob
+  auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
+  description: |
+    Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
+  supported_platforms:
+  - kubernetes
+  - linux
+  - macos
+  input_arguments:
+    namespace:
+      description: K8s namespace to list
+      type: String
+      default: default
+  executor:
+    command: |
+      kubectl create -f src/cronjob.yaml -n #{namespace}
+    cleanup_command: |
+      kubectl delete cronjob art -n #{namespace}
+    name: bash
+    elevation_required: false

atomics/T8062/src/cronjob.yaml

@@ -0,0 +1,19 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: art
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hello
+            image: busybox:stable
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - -c
+            - date; echo Hello from Atomic Red Team
+          restartPolicy: OnFailure

atomics/T8063/T8063.yaml

@@ -0,0 +1,27 @@
+attack_technique: T8063
+display_name: Kubernetes Exec Into Container
+atomic_tests:
+- name: ExecIntoContainer
+  auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b
+  description: |
+    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    namespace:
+      description: K8s namespace to use
+      type: String
+      default: default
+    namespace:
+      description: Command to run
+      type: String
+      default: uname
+  executor:
+    command: |
+      kubectl create -f src/busybox.yaml -n #{namespace}
+      kubectl exec -n #{namespace} busybox -- #{command}
+    cleanup_command: |
+      kubectl delete pod busybox -n #{namespace}
+    name: bash
+    elevation_required: false

atomics/T8063/src/busybox.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox
+spec:
+  containers:
+  - name: busybox
+    image: busybox:stable
+    imagePullPolicy: IfNotPresent
+    command:
+    - /bin/sh
+    - -c
+    - while true; do sleep 30; done;
+  restartPolicy: OnFailure