S0683 Peirates
Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.1
| Item | Value |
|---|---|
| ID | S0683 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 08 February 2022 |
| Last Modified | 14 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1619 | Cloud Storage Object Discovery | Peirates can list AWS S3 buckets.1 |
| enterprise | T1609 | Container Administration Command | Peirates can use kubectl or the Kubernetes API to run commands.1 |
| enterprise | T1613 | Container and Resource Discovery | Peirates can enumerate Kubernetes pods in a given namespace.1 |
| enterprise | T1530 | Data from Cloud Storage | Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3.1 |
| enterprise | T1610 | Deploy Container | Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node.1 |
| enterprise | T1611 | Escape to Host | Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath.1 |
| enterprise | T1046 | Network Service Discovery | Peirates can initiate a port scan against a given IP address.1 |
| enterprise | T1528 | Steal Application Access Token | Peirates gathers Kubernetes service account tokens using a variety of techniques.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.005 | Cloud Instance Metadata API | Peirates can query the query AWS and GCP metadata APIs for secrets.1 |
| enterprise | T1552.007 | Container API | Peirates can query the Kubernetes API for secrets.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.001 | Application Access Token | Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.1 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.004 | Cloud Accounts | Peirates can use stolen service account tokens to perform its operations.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0139 | TeamTNT | 2 |