Jose Enrique Hernandez
64 lines
2.6 KiB
YAML
64 lines
2.6 KiB
YAML
attack_technique: T1609
|
|
display_name: Kubernetes Exec Into Container
|
|
atomic_tests:
|
|
- name: ExecIntoContainer
|
|
auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b
|
|
description: |
|
|
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
|
|
supported_platforms:
|
|
- containers
|
|
input_arguments:
|
|
namespace:
|
|
description: K8s namespace to use
|
|
type: string
|
|
default: default
|
|
command:
|
|
description: Command to run
|
|
type: string
|
|
default: uname
|
|
path:
|
|
description: Path to busybox.yaml file
|
|
type: string
|
|
default: $PathtoAtomicsFolder/T1609/src/busybox.yaml
|
|
dependencies:
|
|
- description: |
|
|
kubectl must be installed
|
|
get_prereq_command: |
|
|
echo "kubectl must be installed manually"
|
|
prereq_command: |
|
|
which kubectl
|
|
executor:
|
|
command: |
|
|
kubectl create -f #{path} -n #{namespace}
|
|
# wait 3 seconds for the instance to come up
|
|
sleep 3
|
|
kubectl exec -n #{namespace} busybox -- #{command}
|
|
cleanup_command: |
|
|
kubectl delete pod busybox -n #{namespace}
|
|
name: bash
|
|
elevation_required: false
|
|
- name: Docker Exec Into Container
|
|
auto_generated_guid: 900e2c49-221b-42ec-ae3c-4717e41e6219
|
|
description: |
|
|
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.
|
|
|
|
supported_platforms:
|
|
- containers
|
|
dependencies:
|
|
- description: |
|
|
docker must be installed
|
|
get_prereq_command: |
|
|
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
|
prereq_command: |
|
|
which docker
|
|
executor:
|
|
command: |
|
|
docker build -t t1609 $PathtoAtomicsFolder/T1609/src/
|
|
docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
|
|
docker exec -i t1609_container bash -c "cat /tmp/output.txt"
|
|
cleanup_command: |
|
|
docker stop t1609_container
|
|
docker rmi -f t1609:latest
|
|
name: bash
|
|
elevation_required: false
|