T1552.007 - Kubernetes List Secrets
Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)
An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.
Atomic Tests
Atomic Test #1 - List All Secrets
A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster.
More information about secrets.
This test will make a request to the Kubernetes api at the
endpoint requesting every secret stored within the cluster.
Supported Platforms: Containers
auto_generated_guid: 31e794c4-48fd-4a76-aca4-6587c155bc11
Attack Commands: Run with
!
1
| kubectl get secrets --all-namespaces
|
Dependencies: Run with
!
Description: kubectl must be installed
Check Prereq Commands:
Get Prereq Commands:
1
| echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)"
|
Atomic Test #2 - ListSecrets
A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.
Supported Platforms: Containers
auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| namespace | K8s namespace to list | string | default|
Attack Commands: Run with
!
1
| kubectl get secrets -n #{namespace}
|
Dependencies: Run with
!
Description: kubectl must be installed
Check Prereq Commands:
Get Prereq Commands:
1
| echo "kubectl must be installed manually"
|
Atomic Test #3 - Cat the contents of a Kubernetes service account token file
Access the Kubernetes service account access token stored within a container in a cluster.
Supported Platforms: Linux
auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f
Attack Commands: Run with
!
1
| kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token
|
Cleanup Commands:
1
| kubectl --context kind-atomic-cluster delete pod atomic-pod
|
Dependencies: Run with
!
Description: Verify docker is installed.
Check Prereq Commands:
Get Prereq Commands:
1
| if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
Description: Verify docker service is running.
Check Prereq Commands:
1
| sudo systemctl status docker
|
Get Prereq Commands:
1
| sudo systemctl start docker
|
Description: Verify kind is in the path.
Check Prereq Commands:
Get Prereq Commands:
1
2
3
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
mv kind /usr/bin/kind
|
Description: Verify kind-atomic-cluster is created
Check Prereq Commands:
Get Prereq Commands:
1
| sudo kind create cluster --name atomic-cluster
|
Description: Verify kubectl is in path
Check Prereq Commands:
Get Prereq Commands:
1
2
3
| curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
mv kubectl /usr/bin/kubectl
|
Description: Verify atomic-pod is running.
Check Prereq Commands:
1
| kubectl --context kind-atomic-cluster get pods |grep atomic-pod
|
Get Prereq Commands:
1
| kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity
|