Kubernetes is container orchestration platform and simplifies/automates the deployment, scaling, and management of containerized applications across clusters of host machines
We are going to cover how attacker uses various Kubernetes API to explore/exploit cluster.
Once attacker break into the cluster, from recon/information gathering till data exfiltration which different APIs are use and as defender how can we detect it.
For this I have used Kube-Goat cluster for testing purpose. Fluentd is configured to send logs to Elastic server.
You can use kubectl as well to fire test rules.
Once logs are into elastic, you can use SIEM to create rule, for this i have created Falco rule which will help to understand the logic behind detection,
you can convert it to relevant SIEM query.
Repo contains comprehensive Audit policy and Falco Rules, to detect real world attacks and mapped as per MITRE Framework
Project Overview
Goal of this project is to provide high-fidelity detection for critical stages of Kubernetes Cluster compromise. Rules are created to detect,
Persistence : Detecting backdoors in Controllers and Storage.
Execution : Monitoring interactive sessions and batch jobs.
Credential Accesss : Alerting on Secret/ConfigMap scavenging.
Priv Escalation : Watching for RBAC manipulation and ServiceAccount abuse.
In exploitation directory i have focused on API's , based on MITRE Tactics, around 20+ APIs are covered for various tactics.
Future Updates:
kubectl command for testing