Try it using Invoke-Atomic

Kubernetes List Secrets

Description from ATT&CK

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - ListSecrets

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

Supported Platforms: containers

auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a

Inputs:

Name Description Type Default Value
namespace K8s namespace to list String default

Attack Commands: Run with bash!

1
2
kubectl get secrets -n #{namespace}

Dependencies: Run with bash!

Description: kubectl must be installed

Check Prereq Commands:

1
2
which kubectl

Get Prereq Commands:

1
2
echo "kubectl must be installed manually"

Atomic Test #2 - Cat the contents of a Kubernetes service account token file

Access the Kubernetes service account access token stored within a container in a cluster.

Supported Platforms: linux

auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f

Inputs:

None

Attack Commands: Run with sh!

1
2
kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token

Cleanup Commands:

1
2
kubectl --context kind-atomic-cluster delete pod atomic-pod

Dependencies: Run with sh!

Description: Verify docker is installed. Check Prereq Commands:

1
2
which docker

Get Prereq Commands:

1
2
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi

Description: Verify docker service is running. Check Prereq Commands:

1
2
sudo systemctl status docker

Get Prereq Commands:

1
2
sudo systemctl start docker

Description: Verify kind is in the path. Check Prereq Commands:

1
2
which kind

Get Prereq Commands:

1
2
3
4
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
mv kind /usr/bin/kind

Description: Verify kind-atomic-cluster is created Check Prereq Commands:

1
2
sudo kind get clusters

Get Prereq Commands:

1
2
sudo kind create cluster --name atomic-cluster

Description: Verify kubectl is in path Check Prereq Commands:

1
2
which kubectl

Get Prereq Commands:

1
2
3
4
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
mv kubectl /usr/bin/kubectl

Description: Verify atomic-pod is running. Check Prereq Commands:

1
2
kubectl --context kind-atomic-cluster get pods |grep atomic-pod

Get Prereq Commands:

1
2
kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity

source