Skip to content

S0623 Siloscape

Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.1

Item Value
ID S0623
Associated Names
Version 1.0
Created 18 June 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.1
enterprise T1071 Application Layer Protocol Siloscape connects to an IRC server for C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Siloscape can run cmd through an IRC channel.1
enterprise T1609 Container Administration Command Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.1
enterprise T1140 Deobfuscate/Decode Files or Information Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.1
enterprise T1611 Escape to Host Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of NtSetInformationSymbolicLink.1
enterprise T1190 Exploit Public-Facing Application Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.1
enterprise T1068 Exploitation for Privilege Escalation Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.1
enterprise T1083 File and Directory Discovery Siloscape searches for the Kubernetes config file and other related files using a regular expression.1
enterprise T1106 Native API Siloscape makes various native API calls.1
enterprise T1027 Obfuscated Files or Information Siloscape itself is obfuscated and uses obfuscated API calls.1
enterprise T1069 Permission Groups Discovery Siloscape checks for Kubernetes node permissions.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Siloscape uses Tor to communicate with C2.1
enterprise T1518 Software Discovery Siloscape searches for the kubectl binary.1