{ "type": "bundle", "id": "bundle--f705966a-53b9-4783-81db-90b7b014864f", "objects": [ { "type": "x-mitre-collection", "spec_version": "2.1", "id": "x-mitre-collection--704a5def-03fc-45c2-8513-e863d808c363", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", "modified": "2024-05-08T18:23:01.242847Z", "name": "Threat Matrix for Kubernetes", "description": "The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contents": [ { "object_ref": "x-mitre-tactic--061ef36d-a864-43af-9d9f-3e025b787b32", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "x-mitre-tactic--b0bc713d-f866-4423-b9e5-b65138e68d22", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "x-mitre-tactic--5fe72707-4d7b-47d4-b4ba-64bdbfcb264f", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "x-mitre-tactic--71b0b7b2-4014-47bb-8fb6-ee5f3012b40a", "object_modified": "2022-10-03T12:55:23.000Z" }, { "object_ref": "x-mitre-tactic--2aab1829-6b29-41d3-ab72-76a8a432bb3d", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "x-mitre-tactic--eb106ddf-9e6f-4595-b187-bf7efae5ed2f", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "x-mitre-tactic--b34df19f-9f2b-4faa-884f-facb1cc18a6d", "object_modified": "2022-10-31T06:43:11.000Z" }, { "object_ref": "x-mitre-tactic--0af9ea77-62b6-4b00-8d77-5f42e8ca8ba3", "object_modified": "2022-10-03T12:55:23.000Z" }, { "object_ref": "x-mitre-tactic--d9b42a9d-5e17-47b8-aabf-01c9bbb49e66", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "x-mitre-tactic--376b02c0-7d36-4112-843c-c63d1f2202e4", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "object_modified": "2023-01-23T19:22:40.000Z" }, { "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "object_modified": "2022-10-27T17:00:14.000Z" }, { "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "object_modified": "2022-10-31T06:43:11.000Z" }, { "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "object_modified": "2022-10-25T08:08:39.000Z" }, { "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "object_modified": "2022-10-27T17:00:14.000Z" }, { "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "object_modified": "2022-10-25T08:08:39.000Z" }, { "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "object_modified": "2022-10-25T08:08:39.000Z" }, { "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "object_modified": "2022-12-05T07:54:00.000Z" }, { "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "object_modified": "2022-10-28T11:26:39.000Z" }, { "object_ref": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", "object_modified": "2024-05-08T15:23:01.114222Z" }, { "object_ref": "relationship--d1675c61-27a2-46f1-b9b9-3da8f9fa7b9f", "object_modified": "2024-05-08T15:23:01.115245Z" }, { "object_ref": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", "object_modified": "2024-05-08T15:23:01.117049Z" }, { "object_ref": "relationship--5b574b6b-a4d0-47e8-8d83-b001e9633fcc", "object_modified": "2024-05-08T15:23:01.117155Z" }, { "object_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", "object_modified": "2024-05-08T15:23:01.119287Z" }, { "object_ref": "relationship--6a676866-90b9-4ac9-81d8-f4fa5b86e958", "object_modified": "2024-05-08T15:23:01.119394Z" }, { "object_ref": "relationship--76657bf1-fa01-4bbc-b869-7fc16c2d8322", "object_modified": "2024-05-08T15:23:01.119485Z" }, { "object_ref": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", "object_modified": "2024-05-08T15:23:01.121311Z" }, { "object_ref": "relationship--5ad126e4-a6cb-462b-8e7c-33d99a40f953", "object_modified": "2024-05-08T15:23:01.121429Z" }, { "object_ref": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", "object_modified": "2024-05-08T15:23:01.123399Z" }, { "object_ref": "relationship--3e13da7d-4529-42be-832e-5aec578dbd65", "object_modified": "2024-05-08T15:23:01.1235Z" }, { "object_ref": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", "object_modified": "2024-05-08T15:23:01.125419Z" }, { "object_ref": "relationship--51444f68-fe63-4319-bbcc-2c09a5c9a834", "object_modified": "2024-05-08T15:23:01.125521Z" }, { "object_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", "object_modified": "2024-05-08T15:23:01.127841Z" }, { "object_ref": "relationship--3a7acb8c-842c-4448-9109-4fd286ba7bd4", "object_modified": "2024-05-08T15:23:01.127938Z" }, { "object_ref": "relationship--26d9ed03-0515-4527-9566-60c3a63bf48e", "object_modified": "2024-05-08T15:23:01.128015Z" }, { "object_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", "object_modified": "2024-05-08T15:23:01.13165Z" }, { "object_ref": "relationship--9cfd33ce-2528-4e82-ab8a-df5174f05c32", "object_modified": "2024-05-08T15:23:01.131768Z" }, { "object_ref": "relationship--61c3b504-1806-4a67-af11-164a1c904f37", "object_modified": "2024-05-08T15:23:01.131862Z" }, { "object_ref": "relationship--30b19dd5-db4d-4c84-8256-c658bce46c93", "object_modified": "2024-05-08T15:23:01.131933Z" }, { "object_ref": "relationship--65208f94-dbff-4d67-9543-a49c72327f9a", "object_modified": "2024-05-08T15:23:01.132001Z" }, { "object_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "object_modified": "2024-05-08T15:23:01.142495Z" }, { "object_ref": "relationship--19f8e6fe-02ed-4095-91a6-92e18df62fe4", "object_modified": "2024-05-08T15:23:01.142614Z" }, { "object_ref": "relationship--46c56f83-318c-4e97-b46c-9f3ae3b081fc", "object_modified": "2024-05-08T15:23:01.142694Z" }, { "object_ref": "relationship--059abccd-2bb9-4c26-a720-e2b70fec315c", "object_modified": "2024-05-08T15:23:01.142766Z" }, { "object_ref": "relationship--c25563e5-df67-4eb9-a38e-10cf72433219", "object_modified": "2024-05-08T15:23:01.142835Z" }, { "object_ref": "relationship--56609145-4706-4903-ba25-be7065847487", "object_modified": "2024-05-08T15:23:01.142902Z" }, { "object_ref": "relationship--690fcf22-446b-4d66-a392-62b7cb419180", "object_modified": "2024-05-08T15:23:01.14297Z" }, { "object_ref": "relationship--5cf19607-dffe-4d65-a952-5b76d622c8d8", "object_modified": "2024-05-08T15:23:01.143036Z" }, { "object_ref": "relationship--27423ae4-5d67-41d1-b053-4ff9b63c1eb5", "object_modified": "2024-05-08T15:23:01.143104Z" }, { "object_ref": "relationship--4ba58c15-4a2d-47e7-9148-bbbd0ac1ee71", "object_modified": "2024-05-08T15:23:01.14317Z" }, { "object_ref": "relationship--3fcf3afc-7c69-4425-9015-53926bf23f35", "object_modified": "2024-05-08T15:23:01.143235Z" }, { "object_ref": "relationship--b59f314e-f494-4ca6-9f68-403893c8ad81", "object_modified": "2024-05-08T15:23:01.14331Z" }, { "object_ref": "relationship--5d41b5c6-291f-4418-9033-062d980536f2", "object_modified": "2024-05-08T15:23:01.143382Z" }, { "object_ref": "relationship--aef66010-24c9-469d-9e61-8fd1e364cbef", "object_modified": "2024-05-08T15:23:01.143456Z" }, { "object_ref": "relationship--621981c6-f3b5-4e15-acd8-544647a7e4a9", "object_modified": "2024-05-08T15:23:01.143522Z" }, { "object_ref": "relationship--1be627dd-375b-4c63-b321-a7e84c8c4a6f", "object_modified": "2024-05-08T15:23:01.143588Z" }, { "object_ref": "relationship--30fa1766-baae-4c3a-9257-2eafddc67bf9", "object_modified": "2024-05-08T15:23:01.143661Z" }, { "object_ref": "relationship--45dec0fe-060f-4283-965a-662f5aad46c6", "object_modified": "2024-05-08T15:23:01.143726Z" }, { "object_ref": "relationship--ae9aef0c-27d9-475e-b7fb-08332ae5b518", "object_modified": "2024-05-08T15:23:01.143793Z" }, { "object_ref": "relationship--7a103bef-f288-4179-860b-39e0f3a95609", "object_modified": "2024-05-08T15:23:01.143859Z" }, { "object_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "object_modified": "2024-05-08T15:23:01.147505Z" }, { "object_ref": "relationship--f8a571d5-ea3d-496e-8943-bcfc0103b575", "object_modified": "2024-05-08T15:23:01.14761Z" }, { "object_ref": "relationship--a73b5a9d-acd5-4fea-a45c-482f2a7631bf", "object_modified": "2024-05-08T15:23:01.147691Z" }, { "object_ref": "relationship--41d76943-df71-46e1-af89-a256a85aa9aa", "object_modified": "2024-05-08T15:23:01.147761Z" }, { "object_ref": "relationship--c96c9e19-f90b-467b-9acd-257e04ae50a7", "object_modified": "2024-05-08T15:23:01.147831Z" }, { "object_ref": "relationship--172f7807-6ce2-4b72-839f-c09169437aa3", "object_modified": "2024-05-08T15:23:01.147905Z" }, { "object_ref": "relationship--88b9667b-ed8a-4390-b442-38f6034f65fe", "object_modified": "2024-05-08T15:23:01.147977Z" }, { "object_ref": "relationship--932c3ddb-6fbf-4877-b681-6fa637df55d8", "object_modified": "2024-05-08T15:23:01.148044Z" }, { "object_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "object_modified": "2024-05-08T15:23:01.151887Z" }, { "object_ref": "relationship--ea20a874-c3f9-44cf-929c-61c793cecbfc", "object_modified": "2024-05-08T15:23:01.151995Z" }, { "object_ref": "relationship--8797c606-b9ba-4cc3-b00a-80bd84cdebb1", "object_modified": "2024-05-08T15:23:01.152075Z" }, { "object_ref": "relationship--32aa3123-080a-443c-b57e-ffd73a50cdb2", "object_modified": "2024-05-08T15:23:01.152147Z" }, { "object_ref": "relationship--1baaa766-7e3e-4c92-bd54-f16bc55d66a4", "object_modified": "2024-05-08T15:23:01.152215Z" }, { "object_ref": "relationship--02aaeb8c-105c-46bc-9349-5c892629abc5", "object_modified": "2024-05-08T15:23:01.152288Z" }, { "object_ref": "relationship--4ed2fb12-8fd9-49e4-848e-61cc48626c1f", "object_modified": "2024-05-08T15:23:01.152355Z" }, { "object_ref": "relationship--9ad82aa9-d56b-4a88-8362-fda4c6a2b347", "object_modified": "2024-05-08T15:23:01.152422Z" }, { "object_ref": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", "object_modified": "2024-05-08T15:23:01.154072Z" }, { "object_ref": "relationship--c2d01ad0-290e-4a89-ae7c-8560e5e0ce6f", "object_modified": "2024-05-08T15:23:01.154258Z" }, { "object_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", "object_modified": "2024-05-08T15:23:01.157008Z" }, { "object_ref": "relationship--062c9dc9-2781-4bab-af67-e95556bf14c6", "object_modified": "2024-05-08T15:23:01.157109Z" }, { "object_ref": "relationship--42cedd8a-eaac-4a78-8876-1655bb621c05", "object_modified": "2024-05-08T15:23:01.157188Z" }, { "object_ref": "relationship--b0490e7e-61ae-45e6-b59a-6aeabd80803f", "object_modified": "2024-05-08T15:23:01.157259Z" }, { "object_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", "object_modified": "2024-05-08T15:23:01.159464Z" }, { "object_ref": "relationship--c3ef337b-3a4a-4309-99f1-6ee18355d712", "object_modified": "2024-05-08T15:23:01.159564Z" }, { "object_ref": "relationship--a79d2424-894b-4835-b857-beef9ee7c3ca", "object_modified": "2024-05-08T15:23:01.159642Z" }, { "object_ref": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", "object_modified": "2024-05-08T15:23:01.161342Z" }, { "object_ref": "relationship--522c6538-e8a2-4aa7-922c-56c17e658b03", "object_modified": "2024-05-08T15:23:01.161439Z" }, { "object_ref": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", "object_modified": "2024-05-08T15:23:01.163165Z" }, { "object_ref": "relationship--adab1f1e-02de-4dc2-9739-fd7ec60bfa44", "object_modified": "2024-05-08T15:23:01.163263Z" }, { "object_ref": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", "object_modified": "2024-05-08T15:23:01.165148Z" }, { "object_ref": "relationship--6d794426-0ee7-4338-acca-247a712eff03", "object_modified": "2024-05-08T15:23:01.165242Z" }, { "object_ref": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", "object_modified": "2024-05-08T15:23:01.166941Z" }, { "object_ref": "relationship--36f88ce0-287b-4ce4-b13f-8fe666379a39", "object_modified": "2024-05-08T15:23:01.167037Z" }, { "object_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", "object_modified": "2024-05-08T15:23:01.16916Z" }, { "object_ref": "relationship--c9bf917c-a264-44c7-ba43-8a1ee750d906", "object_modified": "2024-05-08T15:23:01.169269Z" }, { "object_ref": "relationship--ae8e9fe9-5da8-4f57-89f1-40980305084b", "object_modified": "2024-05-08T15:23:01.169349Z" }, { "object_ref": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", "object_modified": "2024-05-08T15:23:01.171336Z" }, { "object_ref": "relationship--5ee4a054-cb3c-4089-ac69-3a15443614a7", "object_modified": "2024-05-08T15:23:01.171462Z" }, { "object_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "object_modified": "2024-05-08T15:23:01.174809Z" }, { "object_ref": "relationship--fded3496-f58e-4fa8-976d-23792a584ef7", "object_modified": "2024-05-08T15:23:01.174977Z" }, { "object_ref": "relationship--812e7837-20b0-44ae-a0d1-99d2278c5ea3", "object_modified": "2024-05-08T15:23:01.175071Z" }, { "object_ref": "relationship--67588996-c1c1-4ca6-b8e6-bf148a7ab816", "object_modified": "2024-05-08T15:23:01.175145Z" }, { "object_ref": "relationship--21f02379-2691-4f7b-b04c-3c5b717a47de", "object_modified": "2024-05-08T15:23:01.175219Z" }, { "object_ref": "relationship--c0a1afd7-450a-49aa-9535-fad35b0b8ca5", "object_modified": "2024-05-08T15:23:01.175281Z" }, { "object_ref": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", "object_modified": "2024-05-08T15:23:01.177457Z" }, { "object_ref": "relationship--436ba6cd-33fb-4799-bcfd-ec9febd3060b", "object_modified": "2024-05-08T15:23:01.17757Z" }, { "object_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "object_modified": "2024-05-08T15:23:01.182138Z" }, { "object_ref": "relationship--0ccc5fc7-02fb-4ae4-abdb-1d49359bc079", "object_modified": "2024-05-08T15:23:01.182252Z" }, { "object_ref": "relationship--02bed0a4-ddf4-456e-afeb-6173869b8843", "object_modified": "2024-05-08T15:23:01.182335Z" }, { "object_ref": "relationship--fe7996f1-78aa-4db5-a91f-0431ed0980c1", "object_modified": "2024-05-08T15:23:01.182408Z" }, { "object_ref": "relationship--9bbc5221-f86e-4a12-b517-4ee49a8ee18a", "object_modified": "2024-05-08T15:23:01.182481Z" }, { "object_ref": "relationship--4c290472-432f-4a14-a274-df64e034e145", "object_modified": "2024-05-08T15:23:01.182548Z" }, { "object_ref": "relationship--bc3c5c8b-d241-4510-9784-f8dfb5834759", "object_modified": "2024-05-08T15:23:01.182615Z" }, { "object_ref": "relationship--16ad6a7b-4c9c-4c2d-970f-141c688c62c9", "object_modified": "2024-05-08T15:23:01.182685Z" }, { "object_ref": "relationship--70d230fd-d5a4-467b-879c-ba44e8d3ef7f", "object_modified": "2024-05-08T15:23:01.182751Z" }, { "object_ref": "relationship--e44ea84b-4bd2-48ed-ad5d-01727741d276", "object_modified": "2024-05-08T15:23:01.182821Z" }, { "object_ref": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", "object_modified": "2024-05-08T15:23:01.184679Z" }, { "object_ref": "relationship--1b81fd94-ed3d-46cd-8796-67dba801d30b", "object_modified": "2024-05-08T15:23:01.184807Z" }, { "object_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", "object_modified": "2024-05-08T15:23:01.186864Z" }, { "object_ref": "relationship--1a939bbf-5c4e-413d-afa3-6921cf11638c", "object_modified": "2024-05-08T15:23:01.186967Z" }, { "object_ref": "relationship--fb6883aa-42e3-4061-8c79-3a14b024013e", "object_modified": "2024-05-08T15:23:01.187039Z" }, { "object_ref": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", "object_modified": "2024-05-08T15:23:01.189459Z" }, { "object_ref": "relationship--d4e8607e-95e0-4e42-9afb-4542e4699a88", "object_modified": "2024-05-08T15:23:01.189559Z" }, { "object_ref": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", "object_modified": "2024-05-08T15:23:01.191318Z" }, { "object_ref": "relationship--90cda620-d637-4dcd-b94a-59a88e04176c", "object_modified": "2024-05-08T15:23:01.191413Z" }, { "object_ref": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", "object_modified": "2024-05-08T15:23:01.193294Z" }, { "object_ref": "relationship--e2fdd0ef-6d58-4750-bee9-80f39d8694e1", "object_modified": "2024-05-08T15:23:01.193396Z" }, { "object_ref": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", "object_modified": "2024-05-08T15:23:01.195159Z" }, { "object_ref": "relationship--1750efbb-f8a6-4f36-8a46-5bec00eaed67", "object_modified": "2024-05-08T15:23:01.195258Z" }, { "object_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", "object_modified": "2024-05-08T15:23:01.19739Z" }, { "object_ref": "relationship--306fd68f-9390-428f-a706-b94fec13a935", "object_modified": "2024-05-08T15:23:01.197569Z" }, { "object_ref": "relationship--b5bab9ed-13d4-4f25-947d-3b5055fef187", "object_modified": "2024-05-08T15:23:01.197647Z" }, { "object_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", "object_modified": "2024-05-08T15:23:01.2003Z" }, { "object_ref": "relationship--12817f60-cc8e-4dc0-978f-982a926c7884", "object_modified": "2024-05-08T15:23:01.200411Z" }, { "object_ref": "relationship--3a5fbb4b-37c9-4241-95e6-e5bfcbd1d237", "object_modified": "2024-05-08T15:23:01.200497Z" }, { "object_ref": "relationship--c8de37c6-deea-416e-a650-3109ca91b365", "object_modified": "2024-05-08T15:23:01.200566Z" }, { "object_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", "object_modified": "2024-05-08T15:23:01.203334Z" }, { "object_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", "object_modified": "2024-05-08T15:23:01.205914Z" }, { "object_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", "object_modified": "2024-05-08T15:23:01.209235Z" }, { "object_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "object_modified": "2024-05-08T15:23:01.213865Z" }, { "object_ref": "relationship--7de0fd47-0ec4-4a60-b21c-2b045b090aae", "object_modified": "2024-05-08T15:23:01.213976Z" }, { "object_ref": "relationship--ac2fd283-0d84-47e7-aaad-c507a043680f", "object_modified": "2024-05-08T15:23:01.214056Z" }, { "object_ref": "relationship--55dda607-c695-48bd-85db-ea51a8c375fc", "object_modified": "2024-05-08T15:23:01.214133Z" }, { "object_ref": "relationship--9b510739-699f-483e-8e27-bad3a4cc8bd4", "object_modified": "2024-05-08T15:23:01.214208Z" }, { "object_ref": "relationship--a908c426-cab6-4007-8f8b-2ae3b3dbe354", "object_modified": "2024-05-08T15:23:01.214286Z" }, { "object_ref": "relationship--9b0ae1d0-00ca-49a6-b481-476afd6db243", "object_modified": "2024-05-08T15:23:01.214357Z" }, { "object_ref": "relationship--42002b19-6fc5-4840-938a-b41d353a58f1", "object_modified": "2024-05-08T15:23:01.214427Z" }, { "object_ref": "relationship--160b7870-ff6f-447e-aae6-ad7257da8dad", "object_modified": "2024-05-08T15:23:01.214493Z" }, { "object_ref": "relationship--c31e800b-e36d-4af6-9eba-6774f2897d89", "object_modified": "2024-05-08T15:23:01.214558Z" }, { "object_ref": "relationship--6a42219b-bcad-4d32-b411-86048a089879", "object_modified": "2024-05-08T15:23:01.214624Z" }, { "object_ref": "relationship--76b13565-9280-4a9b-8b56-a00418f65956", "object_modified": "2024-05-08T15:23:01.214694Z" }, { "object_ref": "relationship--3d8ed52f-5a1b-4bdb-8bae-7c7b5929053a", "object_modified": "2024-05-08T15:23:01.21476Z" }, { "object_ref": "relationship--0470cfde-1acd-4e6d-965b-c2ffe549a10a", "object_modified": "2024-05-08T15:23:01.214825Z" }, { "object_ref": "relationship--eae9cf0e-57b7-421c-86e7-d65c10164263", "object_modified": "2024-05-08T15:23:01.21489Z" }, { "object_ref": "relationship--1bdee8d7-0eaf-40d6-947e-5919479b6c7c", "object_modified": "2024-05-08T15:23:01.21497Z" }, { "object_ref": "relationship--b831d0d0-4da9-4b3e-98c7-702ef5c75a1b", "object_modified": "2024-05-08T15:23:01.215036Z" }, { "object_ref": "relationship--412ded4c-b83f-49ee-b96c-f69ec33e4ee7", "object_modified": "2024-05-08T15:23:01.2151Z" }, { "object_ref": "relationship--9b0921fc-31ec-4d29-aa8c-ba904c354e31", "object_modified": "2024-05-08T15:23:01.215168Z" }, { "object_ref": "relationship--8f545287-e6e8-4020-ba06-ef2a8fe49adf", "object_modified": "2024-05-08T15:23:01.215232Z" }, { "object_ref": "x-mitre-matrix--11ac2cbb-ba21-4607-a2e4-16c89a0b09a5", "object_modified": "2024-05-08T18:23:01.229Z" }, { "object_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "object_modified": "2024-02-05T14:00:00.188Z" } ], "x_mitre_version": "0.1" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--061ef36d-a864-43af-9d9f-3e025b787b32", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/InitialAccess", "external_id": "MS-T0100" } ], "name": "Initial Access", "description": "The initial access tactic consists of techniques that are used for gaining access to the resource. In containerized environments, those techniques enable first access to the cluster. This access can be achieved directly via the cluster management layer or, alternatively, by gaining access to a malicious or vulnerable resource that is deployed on the cluster.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "initial-access" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--b0bc713d-f866-4423-b9e5-b65138e68d22", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Execution", "external_id": "MS-T0200" } ], "name": "Execution", "description": "The execution tactic consists of techniques that are used by attackers to run their code inside a cluster.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "execution" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--5fe72707-4d7b-47d4-b4ba-64bdbfcb264f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Persistence", "external_id": "MS-T0300" } ], "name": "Persistence", "description": "The persistence tactic consists of techniques that are used by attackers to keep access to the cluster in case their initial foothold is lost.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "persistence" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--71b0b7b2-4014-47bb-8fb6-ee5f3012b40a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-03T12:55:23.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/PrivilegeEscalation", "external_id": "MS-T0400" } ], "name": "Privilege Escalation", "description": "The privilege escalation tactic consists of techniques that are used by attackers to get higher privileges in the environment than those they currently have. In containerized environments, this can include getting access to the node from a container, gaining higher privileges in the cluster, and even getting access to the cloud resources.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "privilege-escalation" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--2aab1829-6b29-41d3-ab72-76a8a432bb3d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/DefenseEvasion", "external_id": "MS-T0500" } ], "name": "Defense Evasion", "description": "The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "defense-evasion" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--eb106ddf-9e6f-4595-b187-bf7efae5ed2f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/CredentialAccess", "external_id": "MS-T0600" } ], "name": "Credential Access", "description": "The credential access tactic consists of techniques that are used by attackers to steal credentials.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "credential-access" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--b34df19f-9f2b-4faa-884f-facb1cc18a6d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-31T06:43:11.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Discovery", "external_id": "MS-T0700" } ], "name": "Discovery", "description": "The discovery tactic consists of techniques that are used by attackers to explore the environment to which they gained access. This exploration helps the attackers to perform lateral movement and gain access to additional resources.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "discovery" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--0af9ea77-62b6-4b00-8d77-5f42e8ca8ba3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-03T12:55:23.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/LateralMovement", "external_id": "MS-T0800" } ], "name": "Lateral Movement", "description": "The lateral movement tactic consists of techniques that are used by attackers to move through the victim\u2019s environment. In containerized environments, this includes gaining access to various resources in the cluster from a given access to one container, gaining access to the underlying node from a container, or gaining access to the cloud environment.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "lateral-movement" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--d9b42a9d-5e17-47b8-aabf-01c9bbb49e66", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Collection", "external_id": "MS-T0900" } ], "name": "Collection", "description": "Collection in Kubernetes consists of techniques that are used by attackers to collect data from the cluster or through using the cluster.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "collection" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--376b02c0-7d36-4112-843c-c63d1f2202e4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T20:26:21.000Z", "modified": "2022-10-28T11:26:39.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Impact", "external_id": "MS-T1000" } ], "name": "Impact", "description": "The Impact tactic consists of techniques that are used by attackers to destroy, abuse, or disrupt the normal behavior of the environment.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "impact" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2023-01-23T19:22:40.000Z", "name": "Access cloud resources", "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", "external_id": "MS-TA9020" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1078.004" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Bash or cmd inside container", "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", "external_id": "MS-TA9007" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1059" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-27T17:00:14.000Z", "name": "Cluster-admin binding", "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", "external_id": "MS-TA9019" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1078.003" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "Privileged container", "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", "external_id": "MS-TA9018" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Access Kubernetes API server", "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", "external_id": "MS-TA9029" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Application credentials in configuration files", "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", "external_id": "MS-TA9027" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1552" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Data destruction", "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", "external_id": "MS-TA9038" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1485" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-03T20:55:05.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Collecting data from pod", "description": "Using Kubernetes administrative commands an attacker can collect information from a pod without having to get direct access to that pod. One example of such a command is kubectl cpwhich can be used to copy files to and from pods.\n\nAnother example is Kubelet Checkpoint API which can be used to create a stateful copy of a running container. Typically a checkpoint contains all memory pages of all processes in the checkpoint container. This means that everything that used to be in memory is now available on the local disk. This includes all private data and possibly keys used for encryption.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Collecting%20data%20from%20pod", "external_id": "MS-TA9041" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Denial of service", "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", "external_id": "MS-TA9040" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1498", "T1499" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Clear container logs", "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", "external_id": "MS-TA9021" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1070" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "Sidecar injection", "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", "external_id": "MS-TA9011" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Access Managed Identity credentials", "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", "external_id": "MS-TA9028" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "Kubernetes CronJob", "description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubernetes%20CronJob", "external_id": "MS-TA9014" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1053.007" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "SSH server running inside container", "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", "external_id": "MS-TA9010" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "New container", "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", "external_id": "MS-TA9008" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-31T06:43:11.000Z", "name": "Exposed sensitive interfaces", "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", "external_id": "MS-TA9005" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1133" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Delete Kubernetes events", "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", "external_id": "MS-TA9022" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1070" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "Writable hostPath mount", "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", "external_id": "MS-TA9013" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1611" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "Mount service principal", "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", "external_id": "MS-TA9026" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1552.001" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Application exploit (RCE)", "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", "external_id": "MS-TA9009" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1190" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "List Kubernetes secrets", "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", "external_id": "MS-TA9025" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1552.007" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "ARP poisoning and IP spoofing", "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", "external_id": "MS-TA9036" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-25T08:08:39.000Z", "name": "Access Kubelet API", "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", "external_id": "MS-TA9030" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-27T17:00:14.000Z", "name": "Kubeconfig file", "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", "external_id": "MS-TA9003" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T18:11:12.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Container service account", "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", "external_id": "MS-TA9016" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1528" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Exec into container", "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", "external_id": "MS-TA9006" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1609" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Network mapping", "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", "external_id": "MS-TA9031" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1046" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-25T08:08:39.000Z", "name": "Instance Metadata API", "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", "external_id": "MS-TA9033" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Resource hijacking", "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", "external_id": "MS-TA9039" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1496" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Compromised image In registry", "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", "external_id": "MS-TA9002" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1195.002", "T1525" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Using cloud credentials", "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", "external_id": "MS-TA9001" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1078.004" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-03T08:10:16.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Static pods", "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", "external_id": "MS-TA9017" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-25T08:08:39.000Z", "name": "CoreDNS poisoning", "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", "external_id": "MS-TA9035" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Pod or container name similarity", "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", "external_id": "MS-TA9023" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1036.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Connect from proxy server", "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", "external_id": "MS-TA9024" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1090" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Malicious admission controller", "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", "external_id": "MS-TA9015" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1546" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Application vulnerability", "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", "external_id": "MS-TA9004" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1190" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Cluster internal networking", "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", "external_id": "MS-TA9034" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1210" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", "name": "Backdoor container", "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", "external_id": "MS-TA9012" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1543" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", "name": "Images from a private registry", "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", "external_id": "MS-TA9037" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ "T1530" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" ], "x_mitre_version": "1.0" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", "created": "2024-05-08T15:23:01.114222Z", "modified": "2024-05-08T15:23:01.114222Z", "name": "Restrict the usage of unauthenticated APIs in the cluster", "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", "external_id": "MS-M9021" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d1675c61-27a2-46f1-b9b9-3da8f9fa7b9f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.115245Z", "modified": "2024-05-08T15:23:01.115245Z", "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", "relationship_type": "mitigates", "source_ref": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", "created": "2024-05-08T15:23:01.117049Z", "modified": "2024-05-08T15:23:01.117049Z", "name": "Use CNIs that are not prone to ARP poisoning", "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", "external_id": "MS-M9028" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5b574b6b-a4d0-47e8-8d83-b001e9633fcc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.117155Z", "modified": "2024-05-08T15:23:01.117155Z", "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", "relationship_type": "mitigates", "source_ref": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", "created": "2024-05-08T15:23:01.119287Z", "modified": "2024-05-08T15:23:01.119287Z", "name": "Allocate specific identities to pods", "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", "external_id": "MS-M9019" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6a676866-90b9-4ac9-81d8-f4fa5b86e958", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.119394Z", "modified": "2024-05-08T15:23:01.119394Z", "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", "source_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76657bf1-fa01-4bbc-b869-7fc16c2d8322", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.119485Z", "modified": "2024-05-08T15:23:01.119485Z", "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", "source_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", "created": "2024-05-08T15:23:01.121311Z", "modified": "2024-05-08T15:23:01.121311Z", "name": "Avoid using plain text credentials", "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", "external_id": "MS-M9026" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ad126e4-a6cb-462b-8e7c-33d99a40f953", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.121429Z", "modified": "2024-05-08T15:23:01.121429Z", "description": "Avoid using plain text credentials in configuration files", "relationship_type": "mitigates", "source_ref": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", "created": "2024-05-08T15:23:01.123399Z", "modified": "2024-05-08T15:23:01.123399Z", "name": "Enable Just In Time access to API server", "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", "external_id": "MS-M9006" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3e13da7d-4529-42be-832e-5aec578dbd65", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.1235Z", "modified": "2024-05-08T15:23:01.1235Z", "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", "relationship_type": "mitigates", "source_ref": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", "created": "2024-05-08T15:23:01.125419Z", "modified": "2024-05-08T15:23:01.125419Z", "name": "Restrict access to etcd", "description": "Access to etcd should be limited to the Kubernetes control plane only. Depending on your configuration, you should attempt to use etcd over TLS. This mitigation is relevant only to non-managed Kubernetes environment, as access to etcd in cloud managed clusters is already restricted.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9024%20Restrict%20access%20to%20etcd/", "external_id": "MS-M9024" } ], "x_mitre_ids": [ "M1035" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--51444f68-fe63-4319-bbcc-2c09a5c9a834", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.125521Z", "modified": "2024-05-08T15:23:01.125521Z", "description": "Access to etcd should be limited to the Kubernetes control plane only", "relationship_type": "mitigates", "source_ref": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", "created": "2024-05-08T15:23:01.127841Z", "modified": "2024-05-08T15:23:01.127841Z", "name": "Ensure that pods meet defined Pod Security Standards", "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", "external_id": "MS-M9017" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3a7acb8c-842c-4448-9109-4fd286ba7bd4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.127938Z", "modified": "2024-05-08T15:23:01.127938Z", "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", "source_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--26d9ed03-0515-4527-9566-60c3a63bf48e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.128015Z", "modified": "2024-05-08T15:23:01.128015Z", "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", "source_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", "created": "2024-05-08T15:23:01.13165Z", "modified": "2024-05-08T15:23:01.13165Z", "name": "Restricting cloud metadata API access", "description": "", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", "external_id": "MS-M9018" } ], "x_mitre_ids": [ "M1035" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9cfd33ce-2528-4e82-ab8a-df5174f05c32", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.131768Z", "modified": "2024-05-08T15:23:01.131768Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--61c3b504-1806-4a67-af11-164a1c904f37", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.131862Z", "modified": "2024-05-08T15:23:01.131862Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--30b19dd5-db4d-4c84-8256-c658bce46c93", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.131933Z", "modified": "2024-05-08T15:23:01.131933Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--65208f94-dbff-4d67-9543-a49c72327f9a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.132001Z", "modified": "2024-05-08T15:23:01.132001Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "created": "2024-05-08T15:23:01.142495Z", "modified": "2024-05-08T15:23:01.142495Z", "name": "Adhere to least-privilege principle", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", "external_id": "MS-M9003" } ], "x_mitre_ids": [ "M1018" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19f8e6fe-02ed-4095-91a6-92e18df62fe4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.142614Z", "modified": "2024-05-08T15:23:01.142614Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--46c56f83-318c-4e97-b46c-9f3ae3b081fc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.142694Z", "modified": "2024-05-08T15:23:01.142694Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--059abccd-2bb9-4c26-a720-e2b70fec315c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.142766Z", "modified": "2024-05-08T15:23:01.142766Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c25563e5-df67-4eb9-a38e-10cf72433219", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.142835Z", "modified": "2024-05-08T15:23:01.142835Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--56609145-4706-4903-ba25-be7065847487", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.142902Z", "modified": "2024-05-08T15:23:01.142902Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--690fcf22-446b-4d66-a392-62b7cb419180", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.14297Z", "modified": "2024-05-08T15:23:01.14297Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5cf19607-dffe-4d65-a952-5b76d622c8d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143036Z", "modified": "2024-05-08T15:23:01.143036Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--27423ae4-5d67-41d1-b053-4ff9b63c1eb5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143104Z", "modified": "2024-05-08T15:23:01.143104Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4ba58c15-4a2d-47e7-9148-bbbd0ac1ee71", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.14317Z", "modified": "2024-05-08T15:23:01.14317Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3fcf3afc-7c69-4425-9015-53926bf23f35", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143235Z", "modified": "2024-05-08T15:23:01.143235Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b59f314e-f494-4ca6-9f68-403893c8ad81", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.14331Z", "modified": "2024-05-08T15:23:01.14331Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5d41b5c6-291f-4418-9033-062d980536f2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143382Z", "modified": "2024-05-08T15:23:01.143382Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aef66010-24c9-469d-9e61-8fd1e364cbef", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143456Z", "modified": "2024-05-08T15:23:01.143456Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--621981c6-f3b5-4e15-acd8-544647a7e4a9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143522Z", "modified": "2024-05-08T15:23:01.143522Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1be627dd-375b-4c63-b321-a7e84c8c4a6f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143588Z", "modified": "2024-05-08T15:23:01.143588Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--30fa1766-baae-4c3a-9257-2eafddc67bf9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143661Z", "modified": "2024-05-08T15:23:01.143661Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--45dec0fe-060f-4283-965a-662f5aad46c6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143726Z", "modified": "2024-05-08T15:23:01.143726Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae9aef0c-27d9-475e-b7fb-08332ae5b518", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143793Z", "modified": "2024-05-08T15:23:01.143793Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7a103bef-f288-4179-860b-39e0f3a95609", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.143859Z", "modified": "2024-05-08T15:23:01.143859Z", "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "created": "2024-05-08T15:23:01.147505Z", "modified": "2024-05-08T15:23:01.147505Z", "name": "Network segmentation", "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", "external_id": "MS-M9014" } ], "x_mitre_ids": [ "M1030" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f8a571d5-ea3d-496e-8943-bcfc0103b575", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.14761Z", "modified": "2024-05-08T15:23:01.14761Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a73b5a9d-acd5-4fea-a45c-482f2a7631bf", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.147691Z", "modified": "2024-05-08T15:23:01.147691Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--41d76943-df71-46e1-af89-a256a85aa9aa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.147761Z", "modified": "2024-05-08T15:23:01.147761Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c96c9e19-f90b-467b-9acd-257e04ae50a7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.147831Z", "modified": "2024-05-08T15:23:01.147831Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--172f7807-6ce2-4b72-839f-c09169437aa3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.147905Z", "modified": "2024-05-08T15:23:01.147905Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--88b9667b-ed8a-4390-b442-38f6034f65fe", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.147977Z", "modified": "2024-05-08T15:23:01.147977Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--932c3ddb-6fbf-4877-b681-6fa637df55d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.148044Z", "modified": "2024-05-08T15:23:01.148044Z", "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "created": "2024-05-08T15:23:01.151887Z", "modified": "2024-05-08T15:23:01.151887Z", "name": "Restrict container runtime using LSM", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", "external_id": "MS-M9011" } ], "x_mitre_ids": [ "M1038", "M1040" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ea20a874-c3f9-44cf-929c-61c793cecbfc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.151995Z", "modified": "2024-05-08T15:23:01.151995Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8797c606-b9ba-4cc3-b00a-80bd84cdebb1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.152075Z", "modified": "2024-05-08T15:23:01.152075Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--32aa3123-080a-443c-b57e-ffd73a50cdb2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.152147Z", "modified": "2024-05-08T15:23:01.152147Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1baaa766-7e3e-4c92-bd54-f16bc55d66a4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.152215Z", "modified": "2024-05-08T15:23:01.152215Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--02aaeb8c-105c-46bc-9349-5c892629abc5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.152288Z", "modified": "2024-05-08T15:23:01.152288Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4ed2fb12-8fd9-49e4-848e-61cc48626c1f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.152355Z", "modified": "2024-05-08T15:23:01.152355Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ad82aa9-d56b-4a88-8362-fda4c6a2b347", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.152422Z", "modified": "2024-05-08T15:23:01.152422Z", "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", "created": "2024-05-08T15:23:01.154072Z", "modified": "2024-05-08T15:23:01.154072Z", "name": "Set requests and limits for containers", "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", "external_id": "MS-M9029" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c2d01ad0-290e-4a89-ae7c-8560e5e0ce6f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.154258Z", "modified": "2024-05-08T15:23:01.154258Z", "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", "relationship_type": "mitigates", "source_ref": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", "created": "2024-05-08T15:23:01.157008Z", "modified": "2024-05-08T15:23:01.157008Z", "name": "Require strong authentication to services", "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", "external_id": "MS-M9009" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--062c9dc9-2781-4bab-af67-e95556bf14c6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.157109Z", "modified": "2024-05-08T15:23:01.157109Z", "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--42cedd8a-eaac-4a78-8876-1655bb621c05", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.157188Z", "modified": "2024-05-08T15:23:01.157188Z", "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b0490e7e-61ae-45e6-b59a-6aeabd80803f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.157259Z", "modified": "2024-05-08T15:23:01.157259Z", "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", "created": "2024-05-08T15:23:01.159464Z", "modified": "2024-05-08T15:23:01.159464Z", "name": "Use managed secret store", "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", "external_id": "MS-M9022" } ], "x_mitre_ids": [ "M1029" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3ef337b-3a4a-4309-99f1-6ee18355d712", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.159564Z", "modified": "2024-05-08T15:23:01.159564Z", "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a79d2424-894b-4835-b857-beef9ee7c3ca", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.159642Z", "modified": "2024-05-08T15:23:01.159642Z", "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", "created": "2024-05-08T15:23:01.161342Z", "modified": "2024-05-08T15:23:01.161342Z", "name": "Use cloud storage provider", "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", "external_id": "MS-M9030" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--522c6538-e8a2-4aa7-922c-56c17e658b03", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.161439Z", "modified": "2024-05-08T15:23:01.161439Z", "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", "relationship_type": "mitigates", "source_ref": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", "created": "2024-05-08T15:23:01.163165Z", "modified": "2024-05-08T15:23:01.163165Z", "name": "Implement data backup strategy", "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", "external_id": "MS-M9031" } ], "x_mitre_ids": [ "M1053" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--adab1f1e-02de-4dc2-9739-fd7ec60bfa44", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.163263Z", "modified": "2024-05-08T15:23:01.163263Z", "description": "Take and store data backups from pod mounted volumes for critical workloads", "relationship_type": "mitigates", "source_ref": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", "created": "2024-05-08T15:23:01.165148Z", "modified": "2024-05-08T15:23:01.165148Z", "name": "Multi-factor authentication", "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", "external_id": "MS-M9001" } ], "x_mitre_ids": [ "M1032" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6d794426-0ee7-4338-acca-247a712eff03", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.165242Z", "modified": "2024-05-08T15:23:01.165242Z", "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", "relationship_type": "mitigates", "source_ref": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", "created": "2024-05-08T15:23:01.166941Z", "modified": "2024-05-08T15:23:01.166941Z", "name": "Use NodeRestriction admission controller", "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", "external_id": "MS-M9027" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--36f88ce0-287b-4ce4-b13f-8fe666379a39", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.167037Z", "modified": "2024-05-08T15:23:01.167037Z", "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", "relationship_type": "mitigates", "source_ref": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", "created": "2024-05-08T15:23:01.16916Z", "modified": "2024-05-08T15:23:01.16916Z", "name": "Restrict exec commands on pods", "description": "", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", "external_id": "MS-M9010" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c9bf917c-a264-44c7-ba43-8a1ee750d906", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.169269Z", "modified": "2024-05-08T15:23:01.169269Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae8e9fe9-5da8-4f57-89f1-40980305084b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.169349Z", "modified": "2024-05-08T15:23:01.169349Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", "created": "2024-05-08T15:23:01.171336Z", "modified": "2024-05-08T15:23:01.171336Z", "name": "Avoid using web-hosted manifest for Kubelet", "description": "", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", "external_id": "MS-M9032" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ee4a054-cb3c-4089-ac69-3a15443614a7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.171462Z", "modified": "2024-05-08T15:23:01.171462Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "created": "2024-05-08T15:23:01.174809Z", "modified": "2024-05-08T15:23:01.174809Z", "name": "Restrict access to the API server using IP firewall", "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", "external_id": "MS-M9002" } ], "x_mitre_ids": [ "M1035" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fded3496-f58e-4fa8-976d-23792a584ef7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.174977Z", "modified": "2024-05-08T15:23:01.174977Z", "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--812e7837-20b0-44ae-a0d1-99d2278c5ea3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.175071Z", "modified": "2024-05-08T15:23:01.175071Z", "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--67588996-c1c1-4ca6-b8e6-bf148a7ab816", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.175145Z", "modified": "2024-05-08T15:23:01.175145Z", "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--21f02379-2691-4f7b-b04c-3c5b717a47de", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.175219Z", "modified": "2024-05-08T15:23:01.175219Z", "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c0a1afd7-450a-49aa-9535-fad35b0b8ca5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.175281Z", "modified": "2024-05-08T15:23:01.175281Z", "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", "created": "2024-05-08T15:23:01.177457Z", "modified": "2024-05-08T15:23:01.177457Z", "name": "Limit access to services over network", "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", "external_id": "MS-M9008" } ], "x_mitre_ids": [ "M1035" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--436ba6cd-33fb-4799-bcfd-ec9febd3060b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.17757Z", "modified": "2024-05-08T15:23:01.17757Z", "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", "relationship_type": "mitigates", "source_ref": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "created": "2024-05-08T15:23:01.182138Z", "modified": "2024-05-08T15:23:01.182138Z", "name": "Restrict over permissive containers", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", "external_id": "MS-M9013" } ], "x_mitre_ids": [ "M1038" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0ccc5fc7-02fb-4ae4-abdb-1d49359bc079", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182252Z", "modified": "2024-05-08T15:23:01.182252Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--02bed0a4-ddf4-456e-afeb-6173869b8843", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182335Z", "modified": "2024-05-08T15:23:01.182335Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fe7996f1-78aa-4db5-a91f-0431ed0980c1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182408Z", "modified": "2024-05-08T15:23:01.182408Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9bbc5221-f86e-4a12-b517-4ee49a8ee18a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182481Z", "modified": "2024-05-08T15:23:01.182481Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4c290472-432f-4a14-a274-df64e034e145", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182548Z", "modified": "2024-05-08T15:23:01.182548Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bc3c5c8b-d241-4510-9784-f8dfb5834759", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182615Z", "modified": "2024-05-08T15:23:01.182615Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--16ad6a7b-4c9c-4c2d-970f-141c688c62c9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182685Z", "modified": "2024-05-08T15:23:01.182685Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--70d230fd-d5a4-467b-879c-ba44e8d3ef7f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182751Z", "modified": "2024-05-08T15:23:01.182751Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e44ea84b-4bd2-48ed-ad5d-01727741d276", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.182821Z", "modified": "2024-05-08T15:23:01.182821Z", "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", "created": "2024-05-08T15:23:01.184679Z", "modified": "2024-05-08T15:23:01.184679Z", "name": "Remove unused secrets from the cluster", "description": "Remove unused secrets objects from the cluster.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", "external_id": "MS-M9023" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1b81fd94-ed3d-46cd-8796-67dba801d30b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.184807Z", "modified": "2024-05-08T15:23:01.184807Z", "description": "Remove unused secrets objects from the cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", "created": "2024-05-08T15:23:01.186864Z", "modified": "2024-05-08T15:23:01.186864Z", "name": "Collect logs to remote data storage", "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", "external_id": "MS-M9020" } ], "x_mitre_ids": [ "M1029" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1a939bbf-5c4e-413d-afa3-6921cf11638c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.186967Z", "modified": "2024-05-08T15:23:01.186967Z", "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", "source_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fb6883aa-42e3-4061-8c79-3a14b024013e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.187039Z", "modified": "2024-05-08T15:23:01.187039Z", "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", "source_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", "created": "2024-05-08T15:23:01.189459Z", "modified": "2024-05-08T15:23:01.189459Z", "name": "Network intrusion prevention", "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", "external_id": "MS-M9007" } ], "x_mitre_ids": [ "M1031" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d4e8607e-95e0-4e42-9afb-4542e4699a88", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.189559Z", "modified": "2024-05-08T15:23:01.189559Z", "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", "relationship_type": "mitigates", "source_ref": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", "created": "2024-05-08T15:23:01.191318Z", "modified": "2024-05-08T15:23:01.191318Z", "name": "Disable service account auto mount", "description": "", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", "external_id": "MS-M9025" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--90cda620-d637-4dcd-b94a-59a88e04176c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.191413Z", "modified": "2024-05-08T15:23:01.191413Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", "created": "2024-05-08T15:23:01.193294Z", "modified": "2024-05-08T15:23:01.193294Z", "name": "Secure CI/CD environment", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9004%20Secure%20CI/CD%20environment/", "external_id": "MS-M9004" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e2fdd0ef-6d58-4750-bee9-80f39d8694e1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.193396Z", "modified": "2024-05-08T15:23:01.193396Z", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content", "relationship_type": "mitigates", "source_ref": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", "created": "2024-05-08T15:23:01.195159Z", "modified": "2024-05-08T15:23:01.195159Z", "name": "Avoid running management interface on containers", "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", "external_id": "MS-M9015" } ], "x_mitre_ids": [ "M1042" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1750efbb-f8a6-4f36-8a46-5bec00eaed67", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.195258Z", "modified": "2024-05-08T15:23:01.195258Z", "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", "relationship_type": "mitigates", "source_ref": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", "created": "2024-05-08T15:23:01.19739Z", "modified": "2024-05-08T15:23:01.19739Z", "name": "Remove tools from container images", "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", "external_id": "MS-M9012" } ], "x_mitre_ids": [ "M1042" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--306fd68f-9390-428f-a706-b94fec13a935", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.197569Z", "modified": "2024-05-08T15:23:01.197569Z", "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", "source_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b5bab9ed-13d4-4f25-947d-3b5055fef187", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.197647Z", "modified": "2024-05-08T15:23:01.197647Z", "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", "source_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", "created": "2024-05-08T15:23:01.2003Z", "modified": "2024-05-08T15:23:01.2003Z", "name": "Restrict file and directory permissions", "description": "", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", "external_id": "MS-M9016" } ], "x_mitre_ids": [ "M1022" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--12817f60-cc8e-4dc0-978f-982a926c7884", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.200411Z", "modified": "2024-05-08T15:23:01.200411Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3a5fbb4b-37c9-4241-95e6-e5bfcbd1d237", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.200497Z", "modified": "2024-05-08T15:23:01.200497Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c8de37c6-deea-416e-a650-3109ca91b365", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.200566Z", "modified": "2024-05-08T15:23:01.200566Z", "description": "", "relationship_type": "mitigates", "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", "created": "2024-05-08T15:23:01.203334Z", "modified": "2024-05-08T15:23:01.203334Z", "name": "Gate images pushed to registries", "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", "external_id": "MS-M9005.002" } ], "x_mitre_ids": [ "M1016", "M1045" ], "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", "created": "2024-05-08T15:23:01.205914Z", "modified": "2024-05-08T15:23:01.205914Z", "name": "Gate generated images in CI/CD pipeline", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.001%20Gate%20generated%20images%20in%20CI/CD%20pipeline/", "external_id": "MS-M9005.001" } ], "x_mitre_ids": [ "M1016", "M1045" ], "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", "created": "2024-05-08T15:23:01.209235Z", "modified": "2024-05-08T15:23:01.209235Z", "name": "Image assurance policy", "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", "external_id": "MS-M9005" } ], "x_mitre_ids": [ "M1016", "M1045" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "created": "2024-05-08T15:23:01.213865Z", "modified": "2024-05-08T15:23:01.213865Z", "name": "Gate images deployed to Kubernetes cluster", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements. This can include limiting images to be deployed only from trusted registries, to have digital signature or pass vulnerability scanning and other checks. This can prevent potential adversaries from using their own malicious images in the cluster. Also, this ensures that only images that passed the security compliance policies of the organization are deployed in the cluster. Kubernetes admission controller mechanism is one of the commonly used tools for implementing such policy.", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.003%20Gate%20images%20deployed%20to%20Kubernetes%20cluster/", "external_id": "MS-M9005.003" } ], "x_mitre_ids": [ "M1016", "M1045" ], "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7de0fd47-0ec4-4a60-b21c-2b045b090aae", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.213976Z", "modified": "2024-05-08T15:23:01.213976Z", "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ac2fd283-0d84-47e7-aaad-c507a043680f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214056Z", "modified": "2024-05-08T15:23:01.214056Z", "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--55dda607-c695-48bd-85db-ea51a8c375fc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214133Z", "modified": "2024-05-08T15:23:01.214133Z", "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b510739-699f-483e-8e27-bad3a4cc8bd4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214208Z", "modified": "2024-05-08T15:23:01.214208Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a908c426-cab6-4007-8f8b-2ae3b3dbe354", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214286Z", "modified": "2024-05-08T15:23:01.214286Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b0ae1d0-00ca-49a6-b481-476afd6db243", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214357Z", "modified": "2024-05-08T15:23:01.214357Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--42002b19-6fc5-4840-938a-b41d353a58f1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214427Z", "modified": "2024-05-08T15:23:01.214427Z", "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--160b7870-ff6f-447e-aae6-ad7257da8dad", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214493Z", "modified": "2024-05-08T15:23:01.214493Z", "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c31e800b-e36d-4af6-9eba-6774f2897d89", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214558Z", "modified": "2024-05-08T15:23:01.214558Z", "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6a42219b-bcad-4d32-b411-86048a089879", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214624Z", "modified": "2024-05-08T15:23:01.214624Z", "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76b13565-9280-4a9b-8b56-a00418f65956", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214694Z", "modified": "2024-05-08T15:23:01.214694Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3d8ed52f-5a1b-4bdb-8bae-7c7b5929053a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.21476Z", "modified": "2024-05-08T15:23:01.21476Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0470cfde-1acd-4e6d-965b-c2ffe549a10a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.214825Z", "modified": "2024-05-08T15:23:01.214825Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eae9cf0e-57b7-421c-86e7-d65c10164263", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.21489Z", "modified": "2024-05-08T15:23:01.21489Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1bdee8d7-0eaf-40d6-947e-5919479b6c7c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.21497Z", "modified": "2024-05-08T15:23:01.21497Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b831d0d0-4da9-4b3e-98c7-702ef5c75a1b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.215036Z", "modified": "2024-05-08T15:23:01.215036Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--412ded4c-b83f-49ee-b96c-f69ec33e4ee7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.2151Z", "modified": "2024-05-08T15:23:01.2151Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b0921fc-31ec-4d29-aa8c-ba904c354e31", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.215168Z", "modified": "2024-05-08T15:23:01.215168Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8f545287-e6e8-4020-ba06-ef2a8fe49adf", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T15:23:01.215232Z", "modified": "2024-05-08T15:23:01.215232Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", "target_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "x-mitre-matrix", "spec_version": "2.1", "id": "x-mitre-matrix--11ac2cbb-ba21-4607-a2e4-16c89a0b09a5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", "modified": "2024-05-08T18:23:01.229Z", "name": "Threat Matrix for Kubernetes", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes", "external_id": "tmfk" } ], "description": "The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", "x_mitre_attack_spec_version": "2.1.0", "tactic_refs": [ "x-mitre-tactic--061ef36d-a864-43af-9d9f-3e025b787b32", "x-mitre-tactic--b0bc713d-f866-4423-b9e5-b65138e68d22", "x-mitre-tactic--5fe72707-4d7b-47d4-b4ba-64bdbfcb264f", "x-mitre-tactic--71b0b7b2-4014-47bb-8fb6-ee5f3012b40a", "x-mitre-tactic--2aab1829-6b29-41d3-ab72-76a8a432bb3d", "x-mitre-tactic--eb106ddf-9e6f-4595-b187-bf7efae5ed2f", "x-mitre-tactic--b34df19f-9f2b-4faa-884f-facb1cc18a6d", "x-mitre-tactic--0af9ea77-62b6-4b00-8d77-5f42e8ca8ba3", "x-mitre-tactic--d9b42a9d-5e17-47b8-aabf-01c9bbb49e66", "x-mitre-tactic--376b02c0-7d36-4112-843c-c63d1f2202e4" ], "x_mitre_version": "0.1", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "identity", "spec_version": "2.1", "id": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-05T14:00:00.188Z", "modified": "2024-02-05T14:00:00.188Z", "name": "aw350m33d (Security Experts Community)", "identity_class": "organization", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1" } ] }