ID | Name |
---|---|
T1098.001 | Additional Cloud Credentials |
T1098.002 | Additional Email Delegate Permissions |
T1098.003 | Additional Cloud Roles |
T1098.004 | SSH Authorized Keys |
T1098.005 | Device Registration |
T1098.006 | Additional Container Cluster Roles |
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.[1][2] Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.[3]
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.
Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.[4][5][6] In these cases, this technique may be used in conjunction with Additional Cloud Roles.
ID | Mitigation | Description |
---|---|---|
M1032 | Multi-factor Authentication |
Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML. |
M1018 | User Account Management |
Ensure that low-privileged accounts do not have permissions to add permissions to accounts or to update container cluster roles. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0002 | User Account | User Account Modification |
Collect usage logs from accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to high-privileged cluster roles that go over a certain threshold of known admins. |