T1552.007 - Kubernetes List Secrets

Description from ATT&CK

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

Atomic Tests


Atomic Test #1 - List All Secrets

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster. More information about secrets.

This test will make a request to the Kubernetes api at the

1
/api/v1/secrets
endpoint requesting every secret stored within the cluster.

Supported Platforms: Containers

auto_generated_guid: 31e794c4-48fd-4a76-aca4-6587c155bc11

Attack Commands: Run with
1
bash
!

1
kubectl get secrets --all-namespaces

Dependencies: Run with
1
bash
!

Description: kubectl must be installed
Check Prereq Commands:
1
which kubectl
Get Prereq Commands:
1
echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)"



Atomic Test #2 - ListSecrets

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

Supported Platforms: Containers

auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | namespace | K8s namespace to list | string | default|

Attack Commands: Run with
1
bash
!

1
kubectl get secrets -n #{namespace}

Dependencies: Run with
1
bash
!

Description: kubectl must be installed
Check Prereq Commands:
1
which kubectl
Get Prereq Commands:
1
echo "kubectl must be installed manually"



Atomic Test #3 - Cat the contents of a Kubernetes service account token file

Access the Kubernetes service account access token stored within a container in a cluster.

Supported Platforms: Linux

auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f

Attack Commands: Run with
1
sh
!

1
kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token

Cleanup Commands:

1
kubectl --context kind-atomic-cluster delete pod atomic-pod

Dependencies: Run with
1
sh
!

Description: Verify docker is installed.
Check Prereq Commands:
1
which docker
Get Prereq Commands:
1
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
Description: Verify docker service is running.
Check Prereq Commands:
1
sudo systemctl status docker
Get Prereq Commands:
1
sudo systemctl start docker
Description: Verify kind is in the path.
Check Prereq Commands:
1
which kind
Get Prereq Commands:
1
2
3
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
mv kind /usr/bin/kind
Description: Verify kind-atomic-cluster is created
Check Prereq Commands:
1
sudo kind get clusters
Get Prereq Commands:
1
sudo kind create cluster --name atomic-cluster
Description: Verify kubectl is in path
Check Prereq Commands:
1
which kubectl
Get Prereq Commands:
1
2
3
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
mv kubectl /usr/bin/kubectl
Description: Verify atomic-pod is running.
Check Prereq Commands:
1
kubectl --context kind-atomic-cluster get pods |grep atomic-pod
Get Prereq Commands:
1
kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity