Skip to content

S0683 Peirates

Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.1

Item Value
ID S0683
Associated Names
Version 1.0
Created 08 February 2022
Last Modified 14 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1619 Cloud Storage Object Discovery Peirates can list AWS S3 buckets.1
enterprise T1609 Container Administration Command Peirates can use kubectl or the Kubernetes API to run commands.1
enterprise T1613 Container and Resource Discovery Peirates can enumerate Kubernetes pods in a given namespace.1
enterprise T1530 Data from Cloud Storage Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3.1
enterprise T1610 Deploy Container Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node.1
enterprise T1611 Escape to Host Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath.1
enterprise T1046 Network Service Discovery Peirates can initiate a port scan against a given IP address.1
enterprise T1528 Steal Application Access Token Peirates gathers Kubernetes service account tokens using a variety of techniques.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.005 Cloud Instance Metadata API Peirates can query the query AWS and GCP metadata APIs for secrets.1
enterprise T1552.007 Container API Peirates can query the Kubernetes API for secrets.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.001 Application Access Token Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.1
enterprise T1078 Valid Accounts -
enterprise T1078.004 Cloud Accounts Peirates can use stolen service account tokens to perform its operations.1

Groups That Use This Software

ID Name References
G0139 TeamTNT 2