Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

Loslegen

k8s-postexploit

Sterne617

Forks102

Aktualisiert22. Juni 2026 um 15:25

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

CyberStrikeus

CyberStrikeus/CyberStrike

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

InformationssicherheitsanalystenInformatik- und Mathematikberufe·SOC 15-1212

SKILL.md

readonly

name	k8s-postexploit
description	Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
category	post-exploitation
tags	["kubernetes","k8s","container","post-exploitation","rbac","escape","etcd","secrets","daemonset","cronjob"]
tech_stack	["kubernetes","python","etcd"]
cwe_ids	["CWE-269","CWE-522","CWE-693","CWE-250"]
chains_with	["T1611","T1552.007","T1613","T1610","T1053.007"]
prerequisites	["T1610","T1078"]
version	1.0

Kubernetes Post-Exploitation Methodology

Kubernetes post-exploitation targets cluster resources, RBAC misconfigurations, container security boundaries, and etcd for secret extraction. After compromising a pod or obtaining kubeconfig, these tools provide cluster enumeration, privilege escalation, container escape, and persistent access.

Prerequisites

Kubernetes access — kubeconfig file, service account token, or in-cluster config
Python packages — pip3 install kubernetes etcd3
Current context — verify access via kubectl auth can-i --list

# Quick prerequisite check
kubectl cluster-info                          # verify cluster access
kubectl auth can-i --list                     # check current permissions
python3 -c "from kubernetes import client; print('OK')"

Kill Chain Phases

Phase 1 — Cluster Enumeration

Action	Command	Purpose
Full enumeration	`kubehook k8s_enum`	Map namespaces, pods, services, RBAC, ingress
Secret metadata	`kubehook k8s_enum --namespace kube-system`	Focus on high-value system namespace

Phase 2 — Secret Extraction

Action	Command	Purpose
K8s Secrets	`kubehook k8s_secrets`	Extract and decode all Kubernetes Secrets
etcd dump	`kubehook etcd_dump --endpoint ENDPOINT`	Direct etcd access for all secrets

Phase 3 — Privilege Escalation

Action	Command	Purpose
Container escape	`kubehook k8s_escape`	Detect escape vectors (privileged, hostPID, docker socket)
RBAC abuse	`kubehook k8s_privesc --method bind_admin`	Create ClusterRoleBinding for cluster-admin
SA token theft	`kubehook k8s_privesc --method sa_token`	Steal service account tokens from pods

Phase 4 — Persistence

Action	Command	Purpose
DaemonSet backdoor	`kubehook k8s_backdoor --type daemonset --image IMAGE`	Deploy on every node
CronJob backdoor	`kubehook k8s_backdoor --type cronjob --image IMAGE`	Periodic callback

Phase 5 — Cleanup (MANDATORY)

kubehook cleanup_k8s

Detection Considerations

Kubernetes Audit Logs — API server audit logging captures all requests
Falco — Runtime security monitoring for container escape, privilege escalation
OPA/Gatekeeper — Policy enforcement for pod security, RBAC constraints
Network Policies — Restricts pod-to-pod and pod-to-external communication
RBAC Analyzer — Tools like rbac-police, kubectl-who-can detect dangerous bindings

Program Reference

Program	Technique	MITRE ATT&CK
k8s_enum	Cluster resource enumeration	T1613 — Container and Resource Discovery
k8s_secrets	Kubernetes Secret extraction	T1552.007 — Container API
k8s_escape	Container escape exploitation	T1611 — Escape to Host
k8s_privesc	RBAC privilege escalation	T1078 — Valid Accounts
etcd_dump	Direct etcd data extraction	T1552.007 — Container API
k8s_backdoor	DaemonSet/CronJob persistence	T1053.007 — Container Orchestration Job
cleanup_k8s	Resource removal by label selector	T1070 — Indicator Removal

Mehr aus diesem Repository

gleiches Repository

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

windows-postexploit

CyberStrikeus/CyberStrike

Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations

2026-06-22617

name	k8s-postexploit
description	Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
category	post-exploitation
tags	["kubernetes","k8s","container","post-exploitation","rbac","escape","etcd","secrets","daemonset","cronjob"]
tech_stack	["kubernetes","python","etcd"]
cwe_ids	["CWE-269","CWE-522","CWE-693","CWE-250"]
chains_with	["T1611","T1552.007","T1613","T1610","T1053.007"]
prerequisites	["T1610","T1078"]
version	1.0

Kubernetes Post-Exploitation Methodology

Prerequisites

Kubernetes access — kubeconfig file, service account token, or in-cluster config
Python packages — pip3 install kubernetes etcd3
Current context — verify access via kubectl auth can-i --list

# Quick prerequisite check
kubectl cluster-info                          # verify cluster access
kubectl auth can-i --list                     # check current permissions
python3 -c "from kubernetes import client; print('OK')"

Kill Chain Phases

Phase 1 — Cluster Enumeration

Action	Command	Purpose
Full enumeration	`kubehook k8s_enum`	Map namespaces, pods, services, RBAC, ingress
Secret metadata	`kubehook k8s_enum --namespace kube-system`	Focus on high-value system namespace

Phase 2 — Secret Extraction

Action	Command	Purpose
K8s Secrets	`kubehook k8s_secrets`	Extract and decode all Kubernetes Secrets
etcd dump	`kubehook etcd_dump --endpoint ENDPOINT`	Direct etcd access for all secrets

Phase 3 — Privilege Escalation

Action	Command	Purpose
Container escape	`kubehook k8s_escape`	Detect escape vectors (privileged, hostPID, docker socket)
RBAC abuse	`kubehook k8s_privesc --method bind_admin`	Create ClusterRoleBinding for cluster-admin
SA token theft	`kubehook k8s_privesc --method sa_token`	Steal service account tokens from pods

Phase 4 — Persistence

Action	Command	Purpose
DaemonSet backdoor	`kubehook k8s_backdoor --type daemonset --image IMAGE`	Deploy on every node
CronJob backdoor	`kubehook k8s_backdoor --type cronjob --image IMAGE`	Periodic callback

Phase 5 — Cleanup (MANDATORY)

kubehook cleanup_k8s

Detection Considerations

Kubernetes Audit Logs — API server audit logging captures all requests
Falco — Runtime security monitoring for container escape, privilege escalation
OPA/Gatekeeper — Policy enforcement for pod security, RBAC constraints
Network Policies — Restricts pod-to-pod and pod-to-external communication
RBAC Analyzer — Tools like rbac-police, kubectl-who-can detect dangerous bindings

Program Reference

Program	Technique	MITRE ATT&CK
k8s_enum	Cluster resource enumeration	T1613 — Container and Resource Discovery
k8s_secrets	Kubernetes Secret extraction	T1552.007 — Container API
k8s_escape	Container escape exploitation	T1611 — Escape to Host
k8s_privesc	RBAC privilege escalation	T1078 — Valid Accounts
etcd_dump	Direct etcd data extraction	T1552.007 — Container API
k8s_backdoor	DaemonSet/CronJob persistence	T1053.007 — Container Orchestration Job
cleanup_k8s	Resource removal by label selector	T1070 — Indicator Removal