Try it using Invoke-Atomic

Kubernetes Exec Into Container

Description from ATT&CK

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)

Atomic Tests

Atomic Test #1 - ExecIntoContainer

Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.

Supported Platforms: containers

auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b


Name Description Type Default Value
namespace K8s namespace to use String default
command Command to run String uname

Attack Commands: Run with bash!

kubectl create -f src/busybox.yaml -n #{namespace}
kubectl exec -n #{namespace} busybox -- #{command}

Cleanup Commands:

kubectl delete pod busybox -n #{namespace}

Dependencies: Run with bash!

Description: kubectl must be installed

Check Prereq Commands:

which kubectl

Get Prereq Commands:

echo "kubectl must be installed manually"