From 15b8a9f8d472e6d0a3fa97399df8154009328396 Mon Sep 17 00:00:00 2001 From: edpyt Date: Tue, 14 May 2024 15:21:14 +0300 Subject: [PATCH 1/2] add created and modified fields for relationship --- src/custom_tmfk_objects.py | 17 +++++++++++++++++ src/git_tools.py | 35 +++++++++++++++++++++++++++-------- src/parse.py | 35 ++++++++++++++++++++++++++++++++--- src/parse_mitigation.py | 35 +++++++++++++++++++++++++++++++++++ src/utils.py | 2 +- 5 files changed, 112 insertions(+), 12 deletions(-) diff --git a/src/custom_tmfk_objects.py b/src/custom_tmfk_objects.py index 38d3144..6a67a1a 100644 --- a/src/custom_tmfk_objects.py +++ b/src/custom_tmfk_objects.py @@ -1,6 +1,7 @@ """The classes found here are how ATRM objects can be represented as custom STIX objects instead of python dictionaries.""" from collections import OrderedDict +from datetime import datetime from constants import Mode, get_tmfk_source from stix2 import CustomObject, KillChainPhase @@ -75,6 +76,22 @@ def get_id(self, mode: Mode): "x_mitre_modified_by_ref", ReferenceProperty(valid_types="identity", spec_version="2.1"), ), + ( + "created", + TimestampProperty( + default=datetime.now, + precision="millisecond", + precision_constraint="min", + ), + ), + ( + "modified", + TimestampProperty( + default=datetime.now, + precision="millisecond", + precision_constraint="min", + ), + ), ("description", StringProperty()), ("x_mitre_version", StringProperty()), ("x_mitre_domains", ListProperty(StringProperty())), diff --git a/src/git_tools.py b/src/git_tools.py index c828753..f6ad844 100644 --- a/src/git_tools.py +++ b/src/git_tools.py @@ -1,4 +1,7 @@ +from contextlib import contextmanager from datetime import datetime +from typing import Iterator, Generator +from io import BytesIO import git @@ -8,17 +11,33 @@ def get_last_commit_hash(repo_path: str): return repo.commit("main").hexsha[:7] -def get_file_creation_date(repo_path: str, file_path: str) -> datetime: +def iter_file_commits(repo_path: str, file_path: str) -> Iterator[git.Commit]: repo = git.Repo(repo_path) - commits = list(repo.iter_commits(paths=file_path)) + return repo.iter_commits(paths=file_path) + + +def get_file_creation_date(repo_path: str, file_path: str) -> datetime | None: + commits = list(iter_file_commits(repo_path, file_path)) if commits and len(commits): return commits[-1].committed_datetime return None -def get_file_modification_date(repo_path: str, file_path: str) -> datetime: - repo = git.Repo(repo_path) - commits = list(repo.iter_commits(paths=file_path)) - if commits and len(commits): - return commits[0].committed_datetime - return None +def get_file_modification_date(repo_path: str, file_path: str) -> datetime | None: + try: + return next(iter_file_commits(repo_path, file_path)).committed_datetime + except StopIteration: + return None + + +@contextmanager +def open_file_at_commit( + commit: git.Commit, + file_path: str, +) -> Generator[BytesIO, None, None]: + targetfile = commit.tree / file_path + try: + f = BytesIO(targetfile.data_stream.read()) + yield f + finally: + f.close() diff --git a/src/parse.py b/src/parse.py index ca6e374..6ea1296 100644 --- a/src/parse.py +++ b/src/parse.py @@ -21,7 +21,11 @@ from custom_tmfk_objects import Collection, ObjectRef, Relationship from git_tools import get_last_commit_hash from mitreattack.stix20.custom_attack_objects import Matrix -from parse_mitigation import handle_folder, parse_mitigation +from parse_mitigation import ( + handle_folder, + parse_mitigation, + parse_relationship_created_modified_fields, +) from parse_tactic import parse_tactic from parse_technique import parse_technique from stix2 import Bundle, parse @@ -59,17 +63,28 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: objects.append(mitigation) for idx in ids: + technique = techniques[idx] + + relationship_dt = parse_relationship_created_modified_fields( + repo_path=TMFK_PATH, + file_path=file_path, + technique=technique, + ) + created, modified = relationship_dt["created"], relationship_dt["modified"] + objects.append( Relationship( source_ref=mitigation.id, description=mitigation.description.split(".")[0], relationship_type="mitigates", - target_ref=techniques[idx].id, + target_ref=technique.id, created_by_ref=CREATOR_IDENTITY, x_mitre_version=TMFK_VERSION, x_mitre_modified_by_ref=CREATOR_IDENTITY, x_mitre_attack_spec_version="2.1.0", x_mitre_domains=[get_tmfk_domain(mode=mode)], + created=created, + modified=modified, ) ) @@ -80,17 +95,31 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: for idx in ids: for t in ids[idx]: + technique = techniques[t] + + relationship_dt = parse_relationship_created_modified_fields( + repo_path=TMFK_PATH, + file_path=file_path, + technique=technique, + ) + created, modified = ( + relationship_dt["created"], + relationship_dt["modified"], + ) + objects.append( Relationship( source_ref=idx, description=mitigations[idx].description.split(".")[0], relationship_type="mitigates", - target_ref=techniques[t].id, + target_ref=technique, created_by_ref=CREATOR_IDENTITY, x_mitre_version=TMFK_VERSION, x_mitre_modified_by_ref=CREATOR_IDENTITY, x_mitre_attack_spec_version="2.1.0", x_mitre_domains=[get_tmfk_domain(mode=mode)], + created=created, + modified=modified, ) ) diff --git a/src/parse_mitigation.py b/src/parse_mitigation.py index dcb1ce1..46acb38 100644 --- a/src/parse_mitigation.py +++ b/src/parse_mitigation.py @@ -1,10 +1,15 @@ import os +import re +from datetime import datetime +from typing import Literal import html_to_json from constants import ( MITIGATIONS_PATH, get_tmfk_source, ) +from custom_tmfk_objects import Technique +from git_tools import iter_file_commits, open_file_at_commit from marko.ext.gfm import gfm from stix2 import CourseOfAction @@ -109,3 +114,33 @@ def handle_folder(folder: str) -> tuple[dict, dict]: mitigations[mitigation.id] = mitigation return mitigations, mapping + + +def parse_relationship_created_modified_fields( + repo_path: str, + file_path: str, + technique: Technique, +) -> dict[Literal["created", "modified"], datetime]: + relationship_dt = {"created": None, "modified": None} + + for commit in iter_file_commits(repo_path, file_path): + repo_file_path = file_path.replace(str(repo_path), "") + if repo_file_path[:1] in ("/", "\\"): + repo_file_path = repo_file_path[1:] + + with open_file_at_commit(commit, repo_file_path) as f: + mitigation_data = f.read().decode("utf-8") + + if technique.external_references: + technique_param = technique.external_references[0].external_id + else: + technique_param = technique.name + + has_relation = bool(re.search(technique_param.lower(), mitigation_data.lower())) + if has_relation: + relationship_dt["created"] = commit.committed_datetime + relationship_dt["modified"] = ( + relationship_dt["modified"] or relationship_dt["created"] + ) + + return relationship_dt diff --git a/src/utils.py b/src/utils.py index 8b7501c..3f24a66 100644 --- a/src/utils.py +++ b/src/utils.py @@ -1,5 +1,5 @@ -import uuid import hashlib +import uuid def create_uuid_from_string(val: str) -> uuid.UUID: From 6e082f4c40d525e59a280fcaa130b8461b5e4c5f Mon Sep 17 00:00:00 2001 From: edpyt Date: Wed, 15 May 2024 08:37:35 +0300 Subject: [PATCH 2/2] add pre-commit --- .gitignore | 2 +- .pre-commit-config.yaml | 17 + README.md | 4 +- build/tmfk_attack_compatible.json | 3374 ++++++++++----------- build/tmfk_attack_compatible_b885d18.json | 3374 ++++++++++----------- build/tmfk_strict.json | 3374 ++++++++++----------- build/tmfk_strict_b885d18.json | 3374 ++++++++++----------- index.json | 2 +- make.bat | 2 +- make.sh | 2 +- pyproject.toml | 43 + src/custom_tmfk_objects.py | 14 +- src/git_tools.py | 2 +- src/parse.py | 40 +- src/parse_mitigation.py | 49 +- src/parse_tactic.py | 11 +- src/parse_technique.py | 16 +- src/utils.py | 2 +- 18 files changed, 6884 insertions(+), 6818 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 pyproject.toml diff --git a/.gitignore b/.gitignore index 918f8d6..0488e6c 100644 --- a/.gitignore +++ b/.gitignore @@ -60,4 +60,4 @@ dmypy.json .pytype/ # Cython debug symbols -cython_debug/ \ No newline at end of file +cython_debug/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..5132495 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,17 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-toml + - id: detect-private-key + - id: check-added-large-files + + # ruff + - repo: https://github.com/charliermarsh/ruff-pre-commit + rev: "v0.3.4" + hooks: + - id: ruff + args: ["--fix"] diff --git a/README.md b/README.md index fc5b24d..60629b8 100644 --- a/README.md +++ b/README.md @@ -3,13 +3,13 @@ Microsoft Defender for Cloud [threat matrix for Kubernetes (TMFK)](https://github.com/microsoft/Threat-Matrix-for-Kubernetes) contains attack tactics, techniques and mitigations relevant for Kubernetes environment. -This repository contains the TMFK dataset represented in STIX 2.1 JSON collections. +This repository contains the TMFK dataset represented in STIX 2.1 JSON collections. ## Repository Structure ``` . -├─ build ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ Collection folder +├─ build ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ Collection folder │ ├─ tmfk_strict.json ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ Most recent strict TMFK release │ ├─ tmfk_attack_compatible.json ∙∙∙∙∙∙∙∙∙∙∙∙∙∙ Most recent ATT&CK compatible TMFK release │ ├─ tmfk_strict_b885d18.json ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ TMFK strict collection for commit hash b885d18 of site repo diff --git a/build/tmfk_attack_compatible.json b/build/tmfk_attack_compatible.json index ac423f6..615156e 100644 --- a/build/tmfk_attack_compatible.json +++ b/build/tmfk_attack_compatible.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f705966a-53b9-4783-81db-90b7b014864f", + "id": "bundle--f3f9e8d1-37fc-43cd-8829-c88c5b6e0a97", "objects": [ { "type": "x-mitre-collection", @@ -8,7 +8,7 @@ "id": "x-mitre-collection--704a5def-03fc-45c2-8513-e863d808c363", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:23:01.242847Z", + "modified": "2024-05-15T06:39:59.748428Z", "name": "Threat Matrix for Kubernetes", "description": "The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", "x_mitre_attack_spec_version": "2.1.0", @@ -54,31 +54,31 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", - "object_modified": "2023-01-23T19:22:40.000Z" + "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", - "object_modified": "2022-10-27T17:00:14.000Z" + "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -86,79 +86,83 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "object_modified": "2022-12-05T07:54:00.000Z" }, - { - "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "object_modified": "2022-10-28T11:26:39.000Z" - }, { "object_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "object_modified": "2022-12-05T07:54:00.000Z" }, + { + "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "object_modified": "2023-01-23T19:22:40.000Z" + }, + { + "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "object_modified": "2022-10-28T11:26:39.000Z" + }, { "object_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -166,616 +170,612 @@ "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", - "object_modified": "2022-12-05T07:54:00.000Z" - }, - { - "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", - "object_modified": "2024-05-08T15:23:01.114222Z" + "object_ref": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "object_modified": "2024-05-15T03:39:57.825656Z" }, { - "object_ref": "relationship--d1675c61-27a2-46f1-b9b9-3da8f9fa7b9f", - "object_modified": "2024-05-08T15:23:01.115245Z" + "object_ref": "relationship--47e902dc-d050-4ac0-8ff6-d601c75392c2", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", - "object_modified": "2024-05-08T15:23:01.117049Z" + "object_ref": "relationship--3972ebaf-03b8-42b0-81c7-bdf7fb29c0bb", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--5b574b6b-a4d0-47e8-8d83-b001e9633fcc", - "object_modified": "2024-05-08T15:23:01.117155Z" + "object_ref": "course-of-action--be336cd0-0144-4b41-bb84-5ac767fc4e3a", + "object_modified": "2024-05-15T03:39:57.842372Z" }, { - "object_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "object_modified": "2024-05-08T15:23:01.119287Z" + "object_ref": "relationship--88363a55-a2fd-43fa-92ba-a7f59d890383", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--6a676866-90b9-4ac9-81d8-f4fa5b86e958", - "object_modified": "2024-05-08T15:23:01.119394Z" + "object_ref": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "object_modified": "2024-05-15T03:39:57.857619Z" }, { - "object_ref": "relationship--76657bf1-fa01-4bbc-b869-7fc16c2d8322", - "object_modified": "2024-05-08T15:23:01.119485Z" + "object_ref": "relationship--2b560cb5-3d21-4600-8190-039c71ab48cd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", - "object_modified": "2024-05-08T15:23:01.121311Z" + "object_ref": "relationship--2302f090-74f9-4954-ae00-bff492115838", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--5ad126e4-a6cb-462b-8e7c-33d99a40f953", - "object_modified": "2024-05-08T15:23:01.121429Z" + "object_ref": "course-of-action--f7e1a334-e6b4-4304-810c-2e86945b3a86", + "object_modified": "2024-05-15T03:39:57.878398Z" }, { - "object_ref": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", - "object_modified": "2024-05-08T15:23:01.123399Z" + "object_ref": "relationship--c7a61598-c44a-43f1-bbdc-dc7977468cd9", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--3e13da7d-4529-42be-832e-5aec578dbd65", - "object_modified": "2024-05-08T15:23:01.1235Z" + "object_ref": "course-of-action--df4e2e90-5dc4-42c3-99a7-670f85d8bf9b", + "object_modified": "2024-05-15T03:39:57.888875Z" }, { - "object_ref": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", - "object_modified": "2024-05-08T15:23:01.125419Z" + "object_ref": "relationship--d3a24ed6-a20a-427a-8728-747a9e9cc251", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "relationship--51444f68-fe63-4319-bbcc-2c09a5c9a834", - "object_modified": "2024-05-08T15:23:01.125521Z" + "object_ref": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", + "object_modified": "2024-05-15T03:39:57.901088Z" }, { - "object_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "object_modified": "2024-05-08T15:23:01.127841Z" + "object_ref": "relationship--668359c0-229e-4837-8c37-3d08488c88bb", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--3a7acb8c-842c-4448-9109-4fd286ba7bd4", - "object_modified": "2024-05-08T15:23:01.127938Z" + "object_ref": "relationship--8b302aa6-00b1-4fed-88a8-0f740277d6a6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--26d9ed03-0515-4527-9566-60c3a63bf48e", - "object_modified": "2024-05-08T15:23:01.128015Z" + "object_ref": "course-of-action--d6506d30-d93b-4adb-aaa5-dc101f76c185", + "object_modified": "2024-05-15T03:39:57.937564Z" }, { - "object_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "object_modified": "2024-05-08T15:23:01.13165Z" + "object_ref": "relationship--b2cac5d0-9da1-4590-a36a-9f4df984adb0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9cfd33ce-2528-4e82-ab8a-df5174f05c32", - "object_modified": "2024-05-08T15:23:01.131768Z" + "object_ref": "course-of-action--5e4fd4f0-94d4-47f7-a357-46f448722eaf", + "object_modified": "2024-05-15T03:39:57.960968Z" }, { - "object_ref": "relationship--61c3b504-1806-4a67-af11-164a1c904f37", - "object_modified": "2024-05-08T15:23:01.131862Z" + "object_ref": "relationship--441effaa-fc37-4d35-a302-7dc72079b3f6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--30b19dd5-db4d-4c84-8256-c658bce46c93", - "object_modified": "2024-05-08T15:23:01.131933Z" + "object_ref": "course-of-action--fc86c66d-312b-40d2-a364-63e5c9730217", + "object_modified": "2024-05-15T03:39:57.977696Z" }, { - "object_ref": "relationship--65208f94-dbff-4d67-9543-a49c72327f9a", - "object_modified": "2024-05-08T15:23:01.132001Z" + "object_ref": "relationship--1621a410-66d0-47b3-a2e6-f1ac69d2e400", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "object_modified": "2024-05-08T15:23:01.142495Z" + "object_ref": "course-of-action--6ec9004b-0179-4fc8-8fe4-1f43cfdd6d2b", + "object_modified": "2024-05-15T03:39:57.99612Z" }, { - "object_ref": "relationship--19f8e6fe-02ed-4095-91a6-92e18df62fe4", - "object_modified": "2024-05-08T15:23:01.142614Z" + "object_ref": "relationship--82fef1ca-0515-4996-89d5-92c7eddb27a7", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "relationship--46c56f83-318c-4e97-b46c-9f3ae3b081fc", - "object_modified": "2024-05-08T15:23:01.142694Z" + "object_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "object_modified": "2024-05-15T03:39:58.025891Z" }, { - "object_ref": "relationship--059abccd-2bb9-4c26-a720-e2b70fec315c", - "object_modified": "2024-05-08T15:23:01.142766Z" + "object_ref": "relationship--e78b1260-67c2-4dba-9811-5671ecc86d4e", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--c25563e5-df67-4eb9-a38e-10cf72433219", - "object_modified": "2024-05-08T15:23:01.142835Z" + "object_ref": "relationship--b7c28d09-b3e4-4ebf-9e30-dd341254a9bc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--56609145-4706-4903-ba25-be7065847487", - "object_modified": "2024-05-08T15:23:01.142902Z" + "object_ref": "relationship--47c55680-5536-46c0-93e2-7ba43eb9e776", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--690fcf22-446b-4d66-a392-62b7cb419180", - "object_modified": "2024-05-08T15:23:01.14297Z" + "object_ref": "relationship--b380fad0-5d5e-4390-ad96-97a5ac1203cc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--5cf19607-dffe-4d65-a952-5b76d622c8d8", - "object_modified": "2024-05-08T15:23:01.143036Z" + "object_ref": "relationship--2f8329ae-7964-4398-b2fe-47ae58c8994b", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--27423ae4-5d67-41d1-b053-4ff9b63c1eb5", - "object_modified": "2024-05-08T15:23:01.143104Z" + "object_ref": "relationship--445c9b62-f257-4485-baed-1a57de978d8e", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--4ba58c15-4a2d-47e7-9148-bbbd0ac1ee71", - "object_modified": "2024-05-08T15:23:01.14317Z" + "object_ref": "relationship--60b78705-22c4-4c7f-8e76-e91f04453866", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--3fcf3afc-7c69-4425-9015-53926bf23f35", - "object_modified": "2024-05-08T15:23:01.143235Z" + "object_ref": "relationship--0f8c253f-8051-4d59-b491-6c662b10d7df", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--b59f314e-f494-4ca6-9f68-403893c8ad81", - "object_modified": "2024-05-08T15:23:01.14331Z" + "object_ref": "relationship--fbd533ab-0bd9-4325-bfcc-d83d673db51d", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--5d41b5c6-291f-4418-9033-062d980536f2", - "object_modified": "2024-05-08T15:23:01.143382Z" + "object_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "object_modified": "2024-05-15T03:39:58.170667Z" }, { - "object_ref": "relationship--aef66010-24c9-469d-9e61-8fd1e364cbef", - "object_modified": "2024-05-08T15:23:01.143456Z" + "object_ref": "relationship--7453d151-70fa-441e-8832-94fd974fd186", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--621981c6-f3b5-4e15-acd8-544647a7e4a9", - "object_modified": "2024-05-08T15:23:01.143522Z" + "object_ref": "relationship--6a6c93d0-188f-4119-ab20-91b17bdf32f3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1be627dd-375b-4c63-b321-a7e84c8c4a6f", - "object_modified": "2024-05-08T15:23:01.143588Z" + "object_ref": "relationship--436ea5cb-3d1b-44fc-bb05-d996cf30808a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--30fa1766-baae-4c3a-9257-2eafddc67bf9", - "object_modified": "2024-05-08T15:23:01.143661Z" + "object_ref": "relationship--823d7851-b594-47d3-97ed-a9c568978f7b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--45dec0fe-060f-4283-965a-662f5aad46c6", - "object_modified": "2024-05-08T15:23:01.143726Z" + "object_ref": "relationship--6cac8de5-3b27-49a4-8c07-cb2d15647466", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--ae9aef0c-27d9-475e-b7fb-08332ae5b518", - "object_modified": "2024-05-08T15:23:01.143793Z" + "object_ref": "relationship--41040ed7-7abb-4f07-bd4e-042144c5cbfc", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--7a103bef-f288-4179-860b-39e0f3a95609", - "object_modified": "2024-05-08T15:23:01.143859Z" + "object_ref": "relationship--82b39550-3b6a-4195-af43-2475c0f99035", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "object_modified": "2024-05-08T15:23:01.147505Z" + "object_ref": "course-of-action--f112a1ed-8a40-4df5-9315-ecebbc4d886f", + "object_modified": "2024-05-15T03:39:58.266117Z" }, { - "object_ref": "relationship--f8a571d5-ea3d-496e-8943-bcfc0103b575", - "object_modified": "2024-05-08T15:23:01.14761Z" + "object_ref": "relationship--125fd123-9f94-4bed-9ff1-a4cc5ae59c1d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a73b5a9d-acd5-4fea-a45c-482f2a7631bf", - "object_modified": "2024-05-08T15:23:01.147691Z" + "object_ref": "course-of-action--a247c53d-e7a6-4d80-aa48-6fe42967652c", + "object_modified": "2024-05-15T03:39:58.279406Z" }, { - "object_ref": "relationship--41d76943-df71-46e1-af89-a256a85aa9aa", - "object_modified": "2024-05-08T15:23:01.147761Z" + "object_ref": "relationship--b9f4b92e-b977-4971-a42d-84dd123d2f73", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c96c9e19-f90b-467b-9acd-257e04ae50a7", - "object_modified": "2024-05-08T15:23:01.147831Z" + "object_ref": "course-of-action--1dced729-7647-4645-bc44-44a8e0ec09c6", + "object_modified": "2024-05-15T03:39:58.290604Z" }, { - "object_ref": "relationship--172f7807-6ce2-4b72-839f-c09169437aa3", - "object_modified": "2024-05-08T15:23:01.147905Z" + "object_ref": "relationship--feee0640-5a1c-4b1a-aee7-8ecf910ffa54", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--88b9667b-ed8a-4390-b442-38f6034f65fe", - "object_modified": "2024-05-08T15:23:01.147977Z" + "object_ref": "course-of-action--47f9cbda-6403-4d2b-9b59-6a992d1f5980", + "object_modified": "2024-05-15T03:39:58.300022Z" }, { - "object_ref": "relationship--932c3ddb-6fbf-4877-b681-6fa637df55d8", - "object_modified": "2024-05-08T15:23:01.148044Z" + "object_ref": "relationship--d2069d2d-a20a-4b3e-a027-acd5908ae5e8", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "object_modified": "2024-05-08T15:23:01.151887Z" + "object_ref": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "object_modified": "2024-05-15T03:39:58.31433Z" }, { - "object_ref": "relationship--ea20a874-c3f9-44cf-929c-61c793cecbfc", - "object_modified": "2024-05-08T15:23:01.151995Z" + "object_ref": "relationship--514630be-e767-4d04-9498-748c96fed3fd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--8797c606-b9ba-4cc3-b00a-80bd84cdebb1", - "object_modified": "2024-05-08T15:23:01.152075Z" + "object_ref": "relationship--d92430ae-9da0-403a-a71c-e4c9ab7bcb79", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--32aa3123-080a-443c-b57e-ffd73a50cdb2", - "object_modified": "2024-05-08T15:23:01.152147Z" + "object_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "object_modified": "2024-05-15T03:39:58.351488Z" }, { - "object_ref": "relationship--1baaa766-7e3e-4c92-bd54-f16bc55d66a4", - "object_modified": "2024-05-08T15:23:01.152215Z" + "object_ref": "relationship--21c72327-1686-4bb2-aafa-29fc826de0f4", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--02aaeb8c-105c-46bc-9349-5c892629abc5", - "object_modified": "2024-05-08T15:23:01.152288Z" + "object_ref": "relationship--4d297883-fc17-426c-8501-949f04b4b670", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4ed2fb12-8fd9-49e4-848e-61cc48626c1f", - "object_modified": "2024-05-08T15:23:01.152355Z" + "object_ref": "relationship--7a5e857e-7a4b-4759-a40c-60d29efec3e3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9ad82aa9-d56b-4a88-8362-fda4c6a2b347", - "object_modified": "2024-05-08T15:23:01.152422Z" + "object_ref": "relationship--6967d9ed-e1ed-47bf-b3ec-d1f8f81c063d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", - "object_modified": "2024-05-08T15:23:01.154072Z" + "object_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "object_modified": "2024-05-15T03:39:58.441929Z" }, { - "object_ref": "relationship--c2d01ad0-290e-4a89-ae7c-8560e5e0ce6f", - "object_modified": "2024-05-08T15:23:01.154258Z" + "object_ref": "relationship--a88aae08-b346-4048-aca7-8f39eff62238", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "object_modified": "2024-05-08T15:23:01.157008Z" + "object_ref": "relationship--db1ed7de-b7b3-49af-8a60-2a218e26257f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--062c9dc9-2781-4bab-af67-e95556bf14c6", - "object_modified": "2024-05-08T15:23:01.157109Z" + "object_ref": "relationship--83652b7a-c311-4c31-80f1-1213523c6be6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--42cedd8a-eaac-4a78-8876-1655bb621c05", - "object_modified": "2024-05-08T15:23:01.157188Z" + "object_ref": "relationship--58f37654-7f31-4431-abe2-a2ae532a73db", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b0490e7e-61ae-45e6-b59a-6aeabd80803f", - "object_modified": "2024-05-08T15:23:01.157259Z" + "object_ref": "relationship--356c0b42-b5b2-471a-8afa-b64d58931f89", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "object_modified": "2024-05-08T15:23:01.159464Z" + "object_ref": "course-of-action--3829223f-1341-45b8-8b2a-e914b027e677", + "object_modified": "2024-05-15T03:39:58.537002Z" }, { - "object_ref": "relationship--c3ef337b-3a4a-4309-99f1-6ee18355d712", - "object_modified": "2024-05-08T15:23:01.159564Z" + "object_ref": "relationship--cb8676e6-1c28-47f1-bfab-1e3361101981", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a79d2424-894b-4835-b857-beef9ee7c3ca", - "object_modified": "2024-05-08T15:23:01.159642Z" + "object_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "object_modified": "2024-05-15T03:39:58.564007Z" }, { - "object_ref": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", - "object_modified": "2024-05-08T15:23:01.161342Z" + "object_ref": "relationship--cdde0114-2b9f-4c5b-8780-51dbf7f71135", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--522c6538-e8a2-4aa7-922c-56c17e658b03", - "object_modified": "2024-05-08T15:23:01.161439Z" + "object_ref": "relationship--79f638dd-87ae-46f4-b151-386bb5c41447", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", - "object_modified": "2024-05-08T15:23:01.163165Z" + "object_ref": "relationship--0bdfc67c-4329-468f-9bbd-6adf54a80fa2", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--adab1f1e-02de-4dc2-9739-fd7ec60bfa44", - "object_modified": "2024-05-08T15:23:01.163263Z" + "object_ref": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "object_modified": "2024-05-15T03:39:58.616955Z" }, { - "object_ref": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", - "object_modified": "2024-05-08T15:23:01.165148Z" + "object_ref": "relationship--08b303cc-0d92-495a-acbb-1adc186b05e5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--6d794426-0ee7-4338-acca-247a712eff03", - "object_modified": "2024-05-08T15:23:01.165242Z" + "object_ref": "relationship--5d2dae31-6d25-4949-af0c-9ab2205b6d89", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", - "object_modified": "2024-05-08T15:23:01.166941Z" + "object_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "object_modified": "2024-05-15T03:39:58.665283Z" }, { - "object_ref": "relationship--36f88ce0-287b-4ce4-b13f-8fe666379a39", - "object_modified": "2024-05-08T15:23:01.167037Z" + "object_ref": "relationship--125dc6ef-4d0c-40ba-85a0-c12181500b21", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "object_modified": "2024-05-08T15:23:01.16916Z" + "object_ref": "relationship--825453da-b62f-4834-91b6-62a2b063ac32", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--c9bf917c-a264-44c7-ba43-8a1ee750d906", - "object_modified": "2024-05-08T15:23:01.169269Z" + "object_ref": "relationship--be98309f-02c6-4dd9-be17-5461b670655a", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--ae8e9fe9-5da8-4f57-89f1-40980305084b", - "object_modified": "2024-05-08T15:23:01.169349Z" + "object_ref": "relationship--828dc85a-5944-46c0-a41a-bcfcdd8c017d", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", - "object_modified": "2024-05-08T15:23:01.171336Z" + "object_ref": "relationship--02d31c2e-4326-4068-a3ba-24d2b58cfacc", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--5ee4a054-cb3c-4089-ac69-3a15443614a7", - "object_modified": "2024-05-08T15:23:01.171462Z" + "object_ref": "relationship--00a0c780-7ef5-4525-9fe5-76adab49c046", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "object_modified": "2024-05-08T15:23:01.174809Z" + "object_ref": "relationship--e49f5a7e-6a59-486c-8418-e9be6b4e4b50", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--fded3496-f58e-4fa8-976d-23792a584ef7", - "object_modified": "2024-05-08T15:23:01.174977Z" + "object_ref": "course-of-action--e2f1f3d4-c5cc-4358-bb8f-65c0973d9197", + "object_modified": "2024-05-15T03:39:58.801554Z" }, { - "object_ref": "relationship--812e7837-20b0-44ae-a0d1-99d2278c5ea3", - "object_modified": "2024-05-08T15:23:01.175071Z" + "object_ref": "relationship--327caaad-bf9c-40d1-8613-882e155ae89b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--67588996-c1c1-4ca6-b8e6-bf148a7ab816", - "object_modified": "2024-05-08T15:23:01.175145Z" + "object_ref": "course-of-action--2190c012-fadb-4384-a8ea-9b716f16c130", + "object_modified": "2024-05-15T03:39:58.824902Z" }, { - "object_ref": "relationship--21f02379-2691-4f7b-b04c-3c5b717a47de", - "object_modified": "2024-05-08T15:23:01.175219Z" + "object_ref": "relationship--53660289-54b2-48a3-a211-8712940f8a4d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c0a1afd7-450a-49aa-9535-fad35b0b8ca5", - "object_modified": "2024-05-08T15:23:01.175281Z" + "object_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "object_modified": "2024-05-15T03:39:58.873258Z" }, { - "object_ref": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", - "object_modified": "2024-05-08T15:23:01.177457Z" + "object_ref": "relationship--75404984-d19a-485b-8d2a-dadd3a68da94", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--436ba6cd-33fb-4799-bcfd-ec9febd3060b", - "object_modified": "2024-05-08T15:23:01.17757Z" + "object_ref": "relationship--5baeb2ee-2860-49b6-b17a-0ff4d816da9c", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "object_modified": "2024-05-08T15:23:01.182138Z" + "object_ref": "relationship--c2889066-6374-4319-a253-ac2c3cffaf0a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--0ccc5fc7-02fb-4ae4-abdb-1d49359bc079", - "object_modified": "2024-05-08T15:23:01.182252Z" + "object_ref": "relationship--a9073c2e-b070-45d8-808a-826397daf4d1", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--02bed0a4-ddf4-456e-afeb-6173869b8843", - "object_modified": "2024-05-08T15:23:01.182335Z" + "object_ref": "relationship--4363a839-d70d-44ca-a38b-4c2be75ce31a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--fe7996f1-78aa-4db5-a91f-0431ed0980c1", - "object_modified": "2024-05-08T15:23:01.182408Z" + "object_ref": "relationship--3dd59f3a-1a7a-4a24-8bce-ca0783fe8c21", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9bbc5221-f86e-4a12-b517-4ee49a8ee18a", - "object_modified": "2024-05-08T15:23:01.182481Z" + "object_ref": "relationship--0952d0d8-68cb-4da5-a9fc-b27d7401b413", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4c290472-432f-4a14-a274-df64e034e145", - "object_modified": "2024-05-08T15:23:01.182548Z" + "object_ref": "relationship--05761725-e2a0-45e8-9e75-98bb1afd3c7e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--bc3c5c8b-d241-4510-9784-f8dfb5834759", - "object_modified": "2024-05-08T15:23:01.182615Z" + "object_ref": "relationship--aae2d0cf-2913-4d91-8bde-42c1013c5481", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--16ad6a7b-4c9c-4c2d-970f-141c688c62c9", - "object_modified": "2024-05-08T15:23:01.182685Z" + "object_ref": "relationship--b084805c-8c2a-4eea-acd0-7bd270534836", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--70d230fd-d5a4-467b-879c-ba44e8d3ef7f", - "object_modified": "2024-05-08T15:23:01.182751Z" + "object_ref": "relationship--3d16ea91-7f1e-4a1f-8891-51d9b2060596", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--e44ea84b-4bd2-48ed-ad5d-01727741d276", - "object_modified": "2024-05-08T15:23:01.182821Z" + "object_ref": "relationship--fe1f3e78-4984-40c4-8f61-c7ed410e682b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", - "object_modified": "2024-05-08T15:23:01.184679Z" + "object_ref": "relationship--efebe6bb-016d-4b38-b013-2738511aceff", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1b81fd94-ed3d-46cd-8796-67dba801d30b", - "object_modified": "2024-05-08T15:23:01.184807Z" + "object_ref": "relationship--2adabce8-4f25-483a-b29d-a2cd448c774e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "object_modified": "2024-05-08T15:23:01.186864Z" + "object_ref": "relationship--a1d2b26e-8226-4c29-90ee-39e46e43510e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1a939bbf-5c4e-413d-afa3-6921cf11638c", - "object_modified": "2024-05-08T15:23:01.186967Z" + "object_ref": "relationship--b296d1ec-ac73-40c0-acc6-3a7fb72a75ea", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--fb6883aa-42e3-4061-8c79-3a14b024013e", - "object_modified": "2024-05-08T15:23:01.187039Z" + "object_ref": "relationship--e75ae9c8-15fe-4013-9fb7-da717aa8c4f7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", - "object_modified": "2024-05-08T15:23:01.189459Z" + "object_ref": "relationship--a7219acc-d428-4110-a9dc-53f801b8b9ca", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d4e8607e-95e0-4e42-9afb-4542e4699a88", - "object_modified": "2024-05-08T15:23:01.189559Z" + "object_ref": "relationship--016a3b3c-9749-44e1-af9a-01a084821de7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", - "object_modified": "2024-05-08T15:23:01.191318Z" + "object_ref": "course-of-action--62db2068-1210-4cd1-bc42-e28b7cdbda37", + "object_modified": "2024-05-15T03:39:59.247322Z" }, { - "object_ref": "relationship--90cda620-d637-4dcd-b94a-59a88e04176c", - "object_modified": "2024-05-08T15:23:01.191413Z" + "object_ref": "relationship--d659f796-5c05-4a27-bcc2-5c6d50432426", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", - "object_modified": "2024-05-08T15:23:01.193294Z" + "object_ref": "course-of-action--6b136b68-ed6a-4bdf-8ffa-41250217a51e", + "object_modified": "2024-05-15T03:39:59.282192Z" }, { - "object_ref": "relationship--e2fdd0ef-6d58-4750-bee9-80f39d8694e1", - "object_modified": "2024-05-08T15:23:01.193396Z" + "object_ref": "relationship--6af7db4e-8947-4b07-ae06-103fa2ac6d13", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", - "object_modified": "2024-05-08T15:23:01.195159Z" + "object_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "object_modified": "2024-05-15T03:39:59.304208Z" }, { - "object_ref": "relationship--1750efbb-f8a6-4f36-8a46-5bec00eaed67", - "object_modified": "2024-05-08T15:23:01.195258Z" + "object_ref": "relationship--896b6a49-29b4-4739-ad32-42e4bb6ebd77", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "object_modified": "2024-05-08T15:23:01.19739Z" + "object_ref": "relationship--e79f61d1-33db-4367-920f-64ce52f833bd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--306fd68f-9390-428f-a706-b94fec13a935", - "object_modified": "2024-05-08T15:23:01.197569Z" + "object_ref": "relationship--914fa74c-4dc2-464c-8f4b-279df31b7561", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b5bab9ed-13d4-4f25-947d-3b5055fef187", - "object_modified": "2024-05-08T15:23:01.197647Z" + "object_ref": "course-of-action--e1cf56ed-8efd-4215-b712-175bb68464a5", + "object_modified": "2024-05-15T03:39:59.353263Z" }, { - "object_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "object_modified": "2024-05-08T15:23:01.2003Z" + "object_ref": "relationship--fa1575b5-dbe2-492d-ae88-635e4372ee0b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--12817f60-cc8e-4dc0-978f-982a926c7884", - "object_modified": "2024-05-08T15:23:01.200411Z" + "object_ref": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "object_modified": "2024-05-15T03:39:59.38109Z" }, { - "object_ref": "relationship--3a5fbb4b-37c9-4241-95e6-e5bfcbd1d237", - "object_modified": "2024-05-08T15:23:01.200497Z" + "object_ref": "relationship--b26b02dc-4166-400c-acb4-cd097a5daf22", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c8de37c6-deea-416e-a650-3109ca91b365", - "object_modified": "2024-05-08T15:23:01.200566Z" + "object_ref": "relationship--cee479ef-ee2a-418b-91f3-6c3919c42442", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", - "object_modified": "2024-05-08T15:23:01.203334Z" + "object_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", + "object_modified": "2024-05-15T03:39:59.428902Z" }, { - "object_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "object_modified": "2024-05-08T15:23:01.205914Z" + "object_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "object_modified": "2024-05-15T03:39:59.440682Z" }, { - "object_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "object_modified": "2024-05-08T15:23:01.209235Z" + "object_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "object_modified": "2024-05-15T03:39:59.446895Z" }, { - "object_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", - "object_modified": "2024-05-08T15:23:01.213865Z" + "object_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", + "object_modified": "2024-05-15T03:39:59.454552Z" }, { - "object_ref": "relationship--7de0fd47-0ec4-4a60-b21c-2b045b090aae", - "object_modified": "2024-05-08T15:23:01.213976Z" + "object_ref": "relationship--b3252ecd-ebb5-497f-a226-1670c2aa4ecd", + "object_modified": "2024-05-15T06:39:59.461896Z" }, { - "object_ref": "relationship--ac2fd283-0d84-47e7-aaad-c507a043680f", - "object_modified": "2024-05-08T15:23:01.214056Z" + "object_ref": "relationship--c791a374-fcd5-445c-8a4d-5fefebfda731", + "object_modified": "2024-05-15T06:39:59.46868Z" }, { - "object_ref": "relationship--55dda607-c695-48bd-85db-ea51a8c375fc", - "object_modified": "2024-05-08T15:23:01.214133Z" + "object_ref": "relationship--06a78821-4833-4c71-a514-2adf1489ab28", + "object_modified": "2024-05-15T06:39:59.476039Z" }, { - "object_ref": "relationship--9b510739-699f-483e-8e27-bad3a4cc8bd4", - "object_modified": "2024-05-08T15:23:01.214208Z" + "object_ref": "relationship--6048772c-aa83-4a31-8542-ee56de8e75f5", + "object_modified": "2024-05-15T06:39:59.48429Z" }, { - "object_ref": "relationship--a908c426-cab6-4007-8f8b-2ae3b3dbe354", - "object_modified": "2024-05-08T15:23:01.214286Z" + "object_ref": "relationship--030c2e1b-fded-490b-9840-70eb558223d8", + "object_modified": "2024-05-15T06:39:59.494961Z" }, { - "object_ref": "relationship--9b0ae1d0-00ca-49a6-b481-476afd6db243", - "object_modified": "2024-05-08T15:23:01.214357Z" + "object_ref": "relationship--f0817eb5-ce3c-473b-ac87-594a5fbfcb1d", + "object_modified": "2024-05-15T06:39:59.515286Z" }, { - "object_ref": "relationship--42002b19-6fc5-4840-938a-b41d353a58f1", - "object_modified": "2024-05-08T15:23:01.214427Z" + "object_ref": "relationship--cbfcf7ba-157c-46ad-ab5e-9995a1d17b14", + "object_modified": "2024-05-15T06:39:59.530528Z" }, { - "object_ref": "relationship--160b7870-ff6f-447e-aae6-ad7257da8dad", - "object_modified": "2024-05-08T15:23:01.214493Z" + "object_ref": "relationship--3c94248c-554b-4f5e-93f3-be239aa80704", + "object_modified": "2024-05-15T06:39:59.545531Z" }, { - "object_ref": "relationship--c31e800b-e36d-4af6-9eba-6774f2897d89", - "object_modified": "2024-05-08T15:23:01.214558Z" + "object_ref": "relationship--ba036427-b112-443e-922a-6effa4289fe2", + "object_modified": "2024-05-15T06:39:59.563876Z" }, { - "object_ref": "relationship--6a42219b-bcad-4d32-b411-86048a089879", - "object_modified": "2024-05-08T15:23:01.214624Z" + "object_ref": "relationship--a2938105-842b-4b9a-9bf3-0c0f9be5dc87", + "object_modified": "2024-05-15T06:39:59.580383Z" }, { - "object_ref": "relationship--76b13565-9280-4a9b-8b56-a00418f65956", - "object_modified": "2024-05-08T15:23:01.214694Z" + "object_ref": "relationship--c8b8a32d-261e-4cf8-89dd-c0f6e014ad7b", + "object_modified": "2024-05-15T06:39:59.595791Z" }, { - "object_ref": "relationship--3d8ed52f-5a1b-4bdb-8bae-7c7b5929053a", - "object_modified": "2024-05-08T15:23:01.21476Z" + "object_ref": "relationship--bd2b09b1-64d3-4e6f-a770-2c1c3e095d96", + "object_modified": "2024-05-15T06:39:59.610252Z" }, { - "object_ref": "relationship--0470cfde-1acd-4e6d-965b-c2ffe549a10a", - "object_modified": "2024-05-08T15:23:01.214825Z" + "object_ref": "relationship--23af8533-2bc7-4aae-9467-c849f78471af", + "object_modified": "2024-05-15T06:39:59.625021Z" }, { - "object_ref": "relationship--eae9cf0e-57b7-421c-86e7-d65c10164263", - "object_modified": "2024-05-08T15:23:01.21489Z" + "object_ref": "relationship--f05d85e0-511e-4d7a-871d-a2273387d507", + "object_modified": "2024-05-15T06:39:59.640515Z" }, { - "object_ref": "relationship--1bdee8d7-0eaf-40d6-947e-5919479b6c7c", - "object_modified": "2024-05-08T15:23:01.21497Z" + "object_ref": "relationship--4489deb5-c276-47fe-93da-d8c7c8721356", + "object_modified": "2024-05-15T06:39:59.664789Z" }, { - "object_ref": "relationship--b831d0d0-4da9-4b3e-98c7-702ef5c75a1b", - "object_modified": "2024-05-08T15:23:01.215036Z" + "object_ref": "relationship--00b767d4-2c9d-44c0-952c-681b46ac85e8", + "object_modified": "2024-05-15T06:39:59.679244Z" }, { - "object_ref": "relationship--412ded4c-b83f-49ee-b96c-f69ec33e4ee7", - "object_modified": "2024-05-08T15:23:01.2151Z" + "object_ref": "relationship--a4e8ee97-41c6-49e0-a618-7df4952ff2ad", + "object_modified": "2024-05-15T06:39:59.694091Z" }, { - "object_ref": "relationship--9b0921fc-31ec-4d29-aa8c-ba904c354e31", - "object_modified": "2024-05-08T15:23:01.215168Z" + "object_ref": "relationship--c85ccad8-6ab3-4025-ac93-c3f5139205cc", + "object_modified": "2024-05-15T06:39:59.708321Z" }, { - "object_ref": "relationship--8f545287-e6e8-4020-ba06-ef2a8fe49adf", - "object_modified": "2024-05-08T15:23:01.215232Z" + "object_ref": "relationship--cfd232d4-5096-4e74-8013-18bf73d99ed7", + "object_modified": "2024-05-15T06:39:59.722539Z" }, { - "object_ref": "x-mitre-matrix--11ac2cbb-ba21-4607-a2e4-16c89a0b09a5", - "object_modified": "2024-05-08T18:23:01.229Z" + "object_ref": "x-mitre-matrix--18d00d07-3f91-46dd-a2f3-f0f1cb83b13c", + "object_modified": "2024-05-15T06:39:59.735Z" }, { "object_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", @@ -1027,28 +1027,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2023-01-23T19:22:40.000Z", - "name": "Access cloud resources", - "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", + "created": "2022-10-02T18:11:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Container service account", + "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", - "external_id": "MS-TA9020" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", + "external_id": "MS-TA9016" } ], "x_mitre_domains": [ @@ -1056,7 +1060,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.004" + "T1528" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1067,24 +1071,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Bash or cmd inside container", - "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", + "name": "Clear container logs", + "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", - "external_id": "MS-TA9007" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", + "external_id": "MS-TA9021" } ], "x_mitre_domains": [ @@ -1092,7 +1096,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1059" + "T1070" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1103,24 +1107,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Cluster-admin binding", - "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Data destruction", + "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", - "external_id": "MS-TA9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", + "external_id": "MS-TA9038" } ], "x_mitre_domains": [ @@ -1128,7 +1132,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.003" + "T1485" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1139,24 +1143,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Privileged container", - "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "CoreDNS poisoning", + "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", - "external_id": "MS-TA9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", + "external_id": "MS-TA9035" } ], "x_mitre_domains": [ @@ -1164,7 +1168,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1175,24 +1179,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Kubernetes API server", - "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Backdoor container", + "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", - "external_id": "MS-TA9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", + "external_id": "MS-TA9012" } ], "x_mitre_domains": [ @@ -1200,7 +1204,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1543" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1211,28 +1215,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application credentials in configuration files", - "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "name": "Pod or container name similarity", + "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", - "external_id": "MS-TA9027" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", + "external_id": "MS-TA9023" } ], "x_mitre_domains": [ @@ -1240,7 +1240,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552" + "T1036.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1251,24 +1251,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Data destruction", - "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", + "name": "Access Managed Identity credentials", + "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "impact" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", - "external_id": "MS-TA9038" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", + "external_id": "MS-TA9028" } ], "x_mitre_domains": [ @@ -1276,7 +1276,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1485" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1320,24 +1320,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Denial of service", - "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Access Kubelet API", + "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "impact" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", - "external_id": "MS-TA9040" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", + "external_id": "MS-TA9030" } ], "x_mitre_domains": [ @@ -1345,8 +1345,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1498", - "T1499" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1357,24 +1356,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Clear container logs", - "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", + "name": "Images from a private registry", + "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", - "external_id": "MS-TA9021" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", + "external_id": "MS-TA9037" } ], "x_mitre_domains": [ @@ -1382,7 +1381,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1530" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1393,60 +1392,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "Sidecar injection", - "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", + "name": "Writable hostPath mount", + "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "external_references": [ + "phase_name": "persistence" + }, { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", - "external_id": "MS-TA9011" - } - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1610" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Kubernetes" - ], - "x_mitre_version": "1.0" - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Managed Identity credentials", - "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", - "kill_chain_phases": [ + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", - "external_id": "MS-TA9028" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", + "external_id": "MS-TA9013" } ], "x_mitre_domains": [ @@ -1454,7 +1425,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1611" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1501,30 +1472,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "SSH server running inside container", - "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", + "name": "Using cloud credentials", + "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", - "external_id": "MS-TA9010" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", + "external_id": "MS-TA9001" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1078.004" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -1534,24 +1508,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "New container", - "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", + "name": "Mount service principal", + "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", - "external_id": "MS-TA9008" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", + "external_id": "MS-TA9026" } ], "x_mitre_domains": [ @@ -1559,7 +1533,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1552.001" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1570,28 +1544,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-31T06:43:11.000Z", - "name": "Exposed sensitive interfaces", - "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", + "modified": "2023-01-23T19:22:40.000Z", + "name": "Access cloud resources", + "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", - "external_id": "MS-TA9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", + "external_id": "MS-TA9020" } ], "x_mitre_domains": [ @@ -1599,7 +1573,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1133" + "T1078.004" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1610,24 +1584,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Delete Kubernetes events", - "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", + "name": "Access Kubernetes API server", + "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", - "external_id": "MS-TA9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", + "external_id": "MS-TA9029" } ], "x_mitre_domains": [ @@ -1635,7 +1609,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1646,32 +1620,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Writable hostPath mount", - "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", + "modified": "2022-10-31T06:43:11.000Z", + "name": "Exposed sensitive interfaces", + "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "initial-access" }, { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", - "external_id": "MS-TA9013" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", + "external_id": "MS-TA9005" } ], "x_mitre_domains": [ @@ -1679,7 +1649,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1611" + "T1133" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1690,24 +1660,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Mount service principal", - "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Resource hijacking", + "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", - "external_id": "MS-TA9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", + "external_id": "MS-TA9039" } ], "x_mitre_domains": [ @@ -1715,7 +1685,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.001" + "T1496" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1726,24 +1696,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application exploit (RCE)", - "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "List Kubernetes secrets", + "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", - "external_id": "MS-TA9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", + "external_id": "MS-TA9025" } ], "x_mitre_domains": [ @@ -1751,7 +1721,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1190" + "T1552.007" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1762,13 +1732,17 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "List Kubernetes secrets", - "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", + "name": "Malicious admission controller", + "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" @@ -1778,8 +1752,8 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", - "external_id": "MS-TA9025" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", + "external_id": "MS-TA9015" } ], "x_mitre_domains": [ @@ -1787,7 +1761,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.007" + "T1546" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1798,24 +1772,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "ARP poisoning and IP spoofing", - "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Connect from proxy server", + "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", - "external_id": "MS-TA9036" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", + "external_id": "MS-TA9024" } ], "x_mitre_domains": [ @@ -1823,7 +1797,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1090" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1834,24 +1808,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Access Kubelet API", - "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Compromised image In registry", + "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", - "external_id": "MS-TA9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", + "external_id": "MS-TA9002" } ], "x_mitre_domains": [ @@ -1859,7 +1833,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1195.002", + "T1525" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1870,24 +1845,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Kubeconfig file", - "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "SSH server running inside container", + "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", - "external_id": "MS-TA9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", + "external_id": "MS-TA9010" } ], "x_mitre_domains": [ @@ -1903,32 +1878,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T18:11:12.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Container service account", - "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Privileged container", + "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", - "external_id": "MS-TA9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", + "external_id": "MS-TA9018" } ], "x_mitre_domains": [ @@ -1936,7 +1903,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1528" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1947,24 +1914,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Exec into container", - "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Cluster-admin binding", + "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", - "external_id": "MS-TA9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", + "external_id": "MS-TA9019" } ], "x_mitre_domains": [ @@ -1972,7 +1939,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1609" + "T1078.003" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1983,24 +1950,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Network mapping", - "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "New container", + "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", - "external_id": "MS-TA9031" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", + "external_id": "MS-TA9008" } ], "x_mitre_domains": [ @@ -2008,7 +1975,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1046" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2019,24 +1986,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Instance Metadata API", - "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Cluster internal networking", + "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", - "external_id": "MS-TA9033" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", + "external_id": "MS-TA9034" } ], "x_mitre_domains": [ @@ -2044,7 +2011,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1210" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2055,33 +2022,30 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", + "created": "2022-10-03T08:10:16.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Resource hijacking", - "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", + "name": "Static pods", + "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "impact" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", - "external_id": "MS-TA9039" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", + "external_id": "MS-TA9017" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1496" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2091,24 +2055,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Compromised image In registry", - "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Instance Metadata API", + "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", - "external_id": "MS-TA9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", + "external_id": "MS-TA9033" } ], "x_mitre_domains": [ @@ -2116,8 +2080,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1195.002", - "T1525" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2128,12 +2091,12 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Using cloud credentials", - "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Kubeconfig file", + "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", @@ -2144,17 +2107,14 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", - "external_id": "MS-TA9001" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", + "external_id": "MS-TA9003" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1078.004" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2164,30 +2124,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-03T08:10:16.000Z", + "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Static pods", - "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", + "name": "Delete Kubernetes events", + "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", - "external_id": "MS-TA9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", + "external_id": "MS-TA9022" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1070" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2197,24 +2160,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "CoreDNS poisoning", - "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Network mapping", + "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", - "external_id": "MS-TA9035" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", + "external_id": "MS-TA9031" } ], "x_mitre_domains": [ @@ -2222,7 +2185,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1046" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2233,24 +2196,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Pod or container name similarity", - "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Sidecar injection", + "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", - "external_id": "MS-TA9023" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", + "external_id": "MS-TA9011" } ], "x_mitre_domains": [ @@ -2258,7 +2221,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1036.005" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2269,24 +2232,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Connect from proxy server", - "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "ARP poisoning and IP spoofing", + "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", - "external_id": "MS-TA9024" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", + "external_id": "MS-TA9036" } ], "x_mitre_domains": [ @@ -2294,7 +2257,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1090" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2305,28 +2268,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Malicious admission controller", - "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", + "name": "Application vulnerability", + "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", - "external_id": "MS-TA9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", + "external_id": "MS-TA9004" } ], "x_mitre_domains": [ @@ -2334,7 +2293,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1546" + "T1190" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2345,24 +2304,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application vulnerability", - "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "Application exploit (RCE)", + "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", - "external_id": "MS-TA9004" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", + "external_id": "MS-TA9009" } ], "x_mitre_domains": [ @@ -2381,24 +2340,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Cluster internal networking", - "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", + "name": "Exec into container", + "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", - "external_id": "MS-TA9034" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", + "external_id": "MS-TA9006" } ], "x_mitre_domains": [ @@ -2406,7 +2365,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1210" + "T1609" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2417,24 +2376,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Backdoor container", - "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Bash or cmd inside container", + "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", - "external_id": "MS-TA9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", + "external_id": "MS-TA9007" } ], "x_mitre_domains": [ @@ -2442,7 +2401,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1543" + "T1059" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2453,24 +2412,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Images from a private registry", - "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", + "name": "Denial of service", + "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "collection" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", - "external_id": "MS-TA9037" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", + "external_id": "MS-TA9040" } ], "x_mitre_domains": [ @@ -2478,7 +2437,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1530" + "T1498", + "T1499" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2487,100 +2447,72 @@ "x_mitre_version": "1.0" }, { - "type": "course-of-action", + "type": "attack-pattern", "spec_version": "2.1", - "id": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", - "created": "2024-05-08T15:23:01.114222Z", - "modified": "2024-05-08T15:23:01.114222Z", - "name": "Restrict the usage of unauthenticated APIs in the cluster", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", - "external_references": [ + "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Application credentials in configuration files", + "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "kill_chain_phases": [ { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", - "external_id": "MS-M9021" + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--d1675c61-27a2-46f1-b9b9-3da8f9fa7b9f", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.115245Z", - "modified": "2024-05-08T15:23:01.115245Z", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", - "relationship_type": "mitigates", - "source_ref": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "enterprise-attack" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", - "created": "2024-05-08T15:23:01.117049Z", - "modified": "2024-05-08T15:23:01.117049Z", - "name": "Use CNIs that are not prone to ARP poisoning", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", + "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", - "external_id": "MS-M9028" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", + "external_id": "MS-TA9027" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--5b574b6b-a4d0-47e8-8d83-b001e9633fcc", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.117155Z", - "modified": "2024-05-08T15:23:01.117155Z", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", - "relationship_type": "mitigates", - "source_ref": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "x_mitre_attack_spec_version": "2.1.0", + ], "x_mitre_domains": [ "enterprise-attack" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1552" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Kubernetes" + ], + "x_mitre_version": "1.0" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "created": "2024-05-08T15:23:01.119287Z", - "modified": "2024-05-08T15:23:01.119287Z", - "name": "Allocate specific identities to pods", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", + "id": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "created": "2024-05-15T03:39:57.825656Z", + "modified": "2024-05-15T03:39:57.825656Z", + "name": "Ensure that pods meet defined Pod Security Standards", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", - "external_id": "MS-M9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", + "external_id": "MS-M9017" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--6a676866-90b9-4ac9-81d8-f4fa5b86e958", + "id": "relationship--47e902dc-d050-4ac0-8ff6-d601c75392c2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.119394Z", - "modified": "2024-05-08T15:23:01.119394Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2591,14 +2523,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--76657bf1-fa01-4bbc-b869-7fc16c2d8322", + "id": "relationship--3972ebaf-03b8-42b0-81c7-bdf7fb29c0bb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.119485Z", - "modified": "2024-05-08T15:23:01.119485Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", + "source_ref": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2609,30 +2541,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", - "created": "2024-05-08T15:23:01.121311Z", - "modified": "2024-05-08T15:23:01.121311Z", - "name": "Avoid using plain text credentials", - "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "id": "course-of-action--be336cd0-0144-4b41-bb84-5ac767fc4e3a", + "created": "2024-05-15T03:39:57.842372Z", + "modified": "2024-05-15T03:39:57.842372Z", + "name": "Implement data backup strategy", + "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", - "external_id": "MS-M9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", + "external_id": "MS-M9031" } + ], + "x_mitre_ids": [ + "M1053" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5ad126e4-a6cb-462b-8e7c-33d99a40f953", + "id": "relationship--88363a55-a2fd-43fa-92ba-a7f59d890383", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.121429Z", - "modified": "2024-05-08T15:23:01.121429Z", - "description": "Avoid using plain text credentials in configuration files", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Take and store data backups from pod mounted volumes for critical workloads", "relationship_type": "mitigates", - "source_ref": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--be336cd0-0144-4b41-bb84-5ac767fc4e3a", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2643,30 +2578,48 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", - "created": "2024-05-08T15:23:01.123399Z", - "modified": "2024-05-08T15:23:01.123399Z", - "name": "Enable Just In Time access to API server", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "id": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "created": "2024-05-15T03:39:57.857619Z", + "modified": "2024-05-15T03:39:57.857619Z", + "name": "Restrict exec commands on pods", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", - "external_id": "MS-M9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", + "external_id": "MS-M9010" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3e13da7d-4529-42be-832e-5aec578dbd65", + "id": "relationship--2b560cb5-3d21-4600-8190-039c71ab48cd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.1235Z", - "modified": "2024-05-08T15:23:01.1235Z", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2302f090-74f9-4954-ae00-bff492115838", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2677,9 +2630,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", - "created": "2024-05-08T15:23:01.125419Z", - "modified": "2024-05-08T15:23:01.125419Z", + "id": "course-of-action--f7e1a334-e6b4-4304-810c-2e86945b3a86", + "created": "2024-05-15T03:39:57.878398Z", + "modified": "2024-05-15T03:39:57.878398Z", "name": "Restrict access to etcd", "description": "Access to etcd should be limited to the Kubernetes control plane only. Depending on your configuration, you should attempt to use etcd over TLS. This mitigation is relevant only to non-managed Kubernetes environment, as access to etcd in cloud managed clusters is already restricted.", "external_references": [ @@ -2696,13 +2649,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--51444f68-fe63-4319-bbcc-2c09a5c9a834", + "id": "relationship--c7a61598-c44a-43f1-bbdc-dc7977468cd9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.125521Z", - "modified": "2024-05-08T15:23:01.125521Z", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Access to etcd should be limited to the Kubernetes control plane only", "relationship_type": "mitigates", - "source_ref": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", + "source_ref": "course-of-action--f7e1a334-e6b4-4304-810c-2e86945b3a86", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2714,48 +2667,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "created": "2024-05-08T15:23:01.127841Z", - "modified": "2024-05-08T15:23:01.127841Z", - "name": "Ensure that pods meet defined Pod Security Standards", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", + "id": "course-of-action--df4e2e90-5dc4-42c3-99a7-670f85d8bf9b", + "created": "2024-05-15T03:39:57.888875Z", + "modified": "2024-05-15T03:39:57.888875Z", + "name": "Use CNIs that are not prone to ARP poisoning", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", - "external_id": "MS-M9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", + "external_id": "MS-M9028" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3a7acb8c-842c-4448-9109-4fd286ba7bd4", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.127938Z", - "modified": "2024-05-08T15:23:01.127938Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", - "relationship_type": "mitigates", - "source_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--26d9ed03-0515-4527-9566-60c3a63bf48e", + "id": "relationship--d3a24ed6-a20a-427a-8728-747a9e9cc251", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.128015Z", - "modified": "2024-05-08T15:23:01.128015Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-25T08:08:39.000Z", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", "relationship_type": "mitigates", - "source_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--df4e2e90-5dc4-42c3-99a7-670f85d8bf9b", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2766,32 +2701,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "created": "2024-05-08T15:23:01.13165Z", - "modified": "2024-05-08T15:23:01.13165Z", - "name": "Restricting cloud metadata API access", - "description": "", + "id": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", + "created": "2024-05-15T03:39:57.901088Z", + "modified": "2024-05-15T03:39:57.901088Z", + "name": "Allocate specific identities to pods", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", - "external_id": "MS-M9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", + "external_id": "MS-M9019" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9cfd33ce-2528-4e82-ab8a-df5174f05c32", + "id": "relationship--668359c0-229e-4837-8c37-3d08488c88bb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.131768Z", - "modified": "2024-05-08T15:23:01.131768Z", - "description": "", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", + "source_ref": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2803,13 +2735,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--61c3b504-1806-4a67-af11-164a1c904f37", + "id": "relationship--8b302aa6-00b1-4fed-88a8-0f740277d6a6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.131862Z", - "modified": "2024-05-08T15:23:01.131862Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", + "source_ref": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2818,17 +2750,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--d6506d30-d93b-4adb-aaa5-dc101f76c185", + "created": "2024-05-15T03:39:57.937564Z", + "modified": "2024-05-15T03:39:57.937564Z", + "name": "Use NodeRestriction admission controller", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", + "external_id": "MS-M9027" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--30b19dd5-db4d-4c84-8256-c658bce46c93", + "id": "relationship--b2cac5d0-9da1-4590-a36a-9f4df984adb0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.131933Z", - "modified": "2024-05-08T15:23:01.131933Z", - "description": "", - "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", + "relationship_type": "mitigates", + "source_ref": "course-of-action--d6506d30-d93b-4adb-aaa5-dc101f76c185", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2836,17 +2784,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--5e4fd4f0-94d4-47f7-a357-46f448722eaf", + "created": "2024-05-15T03:39:57.960968Z", + "modified": "2024-05-15T03:39:57.960968Z", + "name": "Network intrusion prevention", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", + "external_id": "MS-M9007" + } + ], + "x_mitre_ids": [ + "M1031" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--65208f94-dbff-4d67-9543-a49c72327f9a", + "id": "relationship--441effaa-fc37-4d35-a302-7dc72079b3f6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.132001Z", - "modified": "2024-05-08T15:23:01.132001Z", - "description": "", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--5e4fd4f0-94d4-47f7-a357-46f448722eaf", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2857,33 +2824,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "created": "2024-05-08T15:23:01.142495Z", - "modified": "2024-05-08T15:23:01.142495Z", - "name": "Adhere to least-privilege principle", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "id": "course-of-action--fc86c66d-312b-40d2-a364-63e5c9730217", + "created": "2024-05-15T03:39:57.977696Z", + "modified": "2024-05-15T03:39:57.977696Z", + "name": "Disable service account auto mount", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", - "external_id": "MS-M9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", + "external_id": "MS-M9025" } - ], - "x_mitre_ids": [ - "M1018" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--19f8e6fe-02ed-4095-91a6-92e18df62fe4", + "id": "relationship--1621a410-66d0-47b3-a2e6-f1ac69d2e400", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142614Z", - "modified": "2024-05-08T15:23:01.142614Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--fc86c66d-312b-40d2-a364-63e5c9730217", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2891,16 +2855,32 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--6ec9004b-0179-4fc8-8fe4-1f43cfdd6d2b", + "created": "2024-05-15T03:39:57.99612Z", + "modified": "2024-05-15T03:39:57.99612Z", + "name": "Enable Just In Time access to API server", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", + "external_id": "MS-M9006" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--46c56f83-318c-4e97-b46c-9f3ae3b081fc", + "id": "relationship--82fef1ca-0515-4996-89d5-92c7eddb27a7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142694Z", - "modified": "2024-05-08T15:23:01.142694Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-27T17:00:14.000Z", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--6ec9004b-0179-4fc8-8fe4-1f43cfdd6d2b", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2909,16 +2889,35 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "created": "2024-05-15T03:39:58.025891Z", + "modified": "2024-05-15T03:39:58.025891Z", + "name": "Restrict over permissive containers", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", + "external_id": "MS-M9013" + } + ], + "x_mitre_ids": [ + "M1038" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--059abccd-2bb9-4c26-a720-e2b70fec315c", + "id": "relationship--e78b1260-67c2-4dba-9811-5671ecc86d4e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142766Z", - "modified": "2024-05-08T15:23:01.142766Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2930,13 +2929,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c25563e5-df67-4eb9-a38e-10cf72433219", + "id": "relationship--b7c28d09-b3e4-4ebf-9e30-dd341254a9bc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142835Z", - "modified": "2024-05-08T15:23:01.142835Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2948,13 +2947,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--56609145-4706-4903-ba25-be7065847487", + "id": "relationship--47c55680-5536-46c0-93e2-7ba43eb9e776", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142902Z", - "modified": "2024-05-08T15:23:01.142902Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2966,14 +2965,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--690fcf22-446b-4d66-a392-62b7cb419180", + "id": "relationship--b380fad0-5d5e-4390-ad96-97a5ac1203cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14297Z", - "modified": "2024-05-08T15:23:01.14297Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2984,14 +2983,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5cf19607-dffe-4d65-a952-5b76d622c8d8", + "id": "relationship--2f8329ae-7964-4398-b2fe-47ae58c8994b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143036Z", - "modified": "2024-05-08T15:23:01.143036Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3002,14 +3001,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--27423ae4-5d67-41d1-b053-4ff9b63c1eb5", + "id": "relationship--445c9b62-f257-4485-baed-1a57de978d8e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143104Z", - "modified": "2024-05-08T15:23:01.143104Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3020,13 +3019,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4ba58c15-4a2d-47e7-9148-bbbd0ac1ee71", + "id": "relationship--60b78705-22c4-4c7f-8e76-e91f04453866", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14317Z", - "modified": "2024-05-08T15:23:01.14317Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3038,14 +3037,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3fcf3afc-7c69-4425-9015-53926bf23f35", + "id": "relationship--0f8c253f-8051-4d59-b491-6c662b10d7df", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143235Z", - "modified": "2024-05-08T15:23:01.143235Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3056,14 +3055,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b59f314e-f494-4ca6-9f68-403893c8ad81", + "id": "relationship--fbd533ab-0bd9-4325-bfcc-d83d673db51d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14331Z", - "modified": "2024-05-08T15:23:01.14331Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3071,17 +3070,37 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "created": "2024-05-15T03:39:58.170667Z", + "modified": "2024-05-15T03:39:58.170667Z", + "name": "Restrict container runtime using LSM", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", + "external_id": "MS-M9011" + } + ], + "x_mitre_ids": [ + "M1038", + "M1040" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5d41b5c6-291f-4418-9033-062d980536f2", + "id": "relationship--7453d151-70fa-441e-8832-94fd974fd186", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143382Z", - "modified": "2024-05-08T15:23:01.143382Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3092,14 +3111,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--aef66010-24c9-469d-9e61-8fd1e364cbef", + "id": "relationship--6a6c93d0-188f-4119-ab20-91b17bdf32f3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143456Z", - "modified": "2024-05-08T15:23:01.143456Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3110,14 +3129,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--621981c6-f3b5-4e15-acd8-544647a7e4a9", + "id": "relationship--436ea5cb-3d1b-44fc-bb05-d996cf30808a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143522Z", - "modified": "2024-05-08T15:23:01.143522Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3128,14 +3147,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1be627dd-375b-4c63-b321-a7e84c8c4a6f", + "id": "relationship--823d7851-b594-47d3-97ed-a9c568978f7b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143588Z", - "modified": "2024-05-08T15:23:01.143588Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3146,14 +3165,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--30fa1766-baae-4c3a-9257-2eafddc67bf9", + "id": "relationship--6cac8de5-3b27-49a4-8c07-cb2d15647466", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143661Z", - "modified": "2024-05-08T15:23:01.143661Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3164,14 +3183,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--45dec0fe-060f-4283-965a-662f5aad46c6", + "id": "relationship--41040ed7-7abb-4f07-bd4e-042144c5cbfc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143726Z", - "modified": "2024-05-08T15:23:01.143726Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3182,14 +3201,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ae9aef0c-27d9-475e-b7fb-08332ae5b518", + "id": "relationship--82b39550-3b6a-4195-af43-2475c0f99035", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143793Z", - "modified": "2024-05-08T15:23:01.143793Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3197,17 +3216,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--f112a1ed-8a40-4df5-9315-ecebbc4d886f", + "created": "2024-05-15T03:39:58.266117Z", + "modified": "2024-05-15T03:39:58.266117Z", + "name": "Restrict the usage of unauthenticated APIs in the cluster", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", + "external_id": "MS-M9021" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7a103bef-f288-4179-860b-39e0f3a95609", + "id": "relationship--125fd123-9f94-4bed-9ff1-a4cc5ae59c1d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143859Z", - "modified": "2024-05-08T15:23:01.143859Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--f112a1ed-8a40-4df5-9315-ecebbc4d886f", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3218,33 +3253,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "created": "2024-05-08T15:23:01.147505Z", - "modified": "2024-05-08T15:23:01.147505Z", - "name": "Network segmentation", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", + "id": "course-of-action--a247c53d-e7a6-4d80-aa48-6fe42967652c", + "created": "2024-05-15T03:39:58.279406Z", + "modified": "2024-05-15T03:39:58.279406Z", + "name": "Avoid running management interface on containers", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", - "external_id": "MS-M9014" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", + "external_id": "MS-M9015" } ], "x_mitre_ids": [ - "M1030" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f8a571d5-ea3d-496e-8943-bcfc0103b575", + "id": "relationship--b9f4b92e-b977-4971-a42d-84dd123d2f73", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14761Z", - "modified": "2024-05-08T15:23:01.14761Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--a247c53d-e7a6-4d80-aa48-6fe42967652c", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3252,17 +3287,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--1dced729-7647-4645-bc44-44a8e0ec09c6", + "created": "2024-05-15T03:39:58.290604Z", + "modified": "2024-05-15T03:39:58.290604Z", + "name": "Avoid using plain text credentials", + "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", + "external_id": "MS-M9026" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a73b5a9d-acd5-4fea-a45c-482f2a7631bf", + "id": "relationship--feee0640-5a1c-4b1a-aee7-8ecf910ffa54", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147691Z", - "modified": "2024-05-08T15:23:01.147691Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid using plain text credentials in configuration files", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--1dced729-7647-4645-bc44-44a8e0ec09c6", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3270,17 +3321,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--47f9cbda-6403-4d2b-9b59-6a992d1f5980", + "created": "2024-05-15T03:39:58.300022Z", + "modified": "2024-05-15T03:39:58.300022Z", + "name": "Limit access to services over network", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", + "external_id": "MS-M9008" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--41d76943-df71-46e1-af89-a256a85aa9aa", + "id": "relationship--d2069d2d-a20a-4b3e-a027-acd5908ae5e8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147761Z", - "modified": "2024-05-08T15:23:01.147761Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--47f9cbda-6403-4d2b-9b59-6a992d1f5980", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3288,17 +3358,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "created": "2024-05-15T03:39:58.31433Z", + "modified": "2024-05-15T03:39:58.31433Z", + "name": "Collect logs to remote data storage", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", + "external_id": "MS-M9020" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c96c9e19-f90b-467b-9acd-257e04ae50a7", + "id": "relationship--514630be-e767-4d04-9498-748c96fed3fd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147831Z", - "modified": "2024-05-08T15:23:01.147831Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3309,14 +3398,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--172f7807-6ce2-4b72-839f-c09169437aa3", + "id": "relationship--d92430ae-9da0-403a-a71c-e4c9ab7bcb79", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147905Z", - "modified": "2024-05-08T15:23:01.147905Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "source_ref": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3324,17 +3413,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "created": "2024-05-15T03:39:58.351488Z", + "modified": "2024-05-15T03:39:58.351488Z", + "name": "Restricting cloud metadata API access", + "description": "", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", + "external_id": "MS-M9018" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--88b9667b-ed8a-4390-b442-38f6034f65fe", + "id": "relationship--21c72327-1686-4bb2-aafa-29fc826de0f4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147977Z", - "modified": "2024-05-08T15:23:01.147977Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3345,14 +3453,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--932c3ddb-6fbf-4877-b681-6fa637df55d8", + "id": "relationship--4d297883-fc17-426c-8501-949f04b4b670", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.148044Z", - "modified": "2024-05-08T15:23:01.148044Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3360,37 +3468,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "created": "2024-05-08T15:23:01.151887Z", - "modified": "2024-05-08T15:23:01.151887Z", - "name": "Restrict container runtime using LSM", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", - "external_id": "MS-M9011" - } - ], - "x_mitre_ids": [ - "M1038", - "M1040" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ea20a874-c3f9-44cf-929c-61c793cecbfc", + "id": "relationship--7a5e857e-7a4b-4759-a40c-60d29efec3e3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.151995Z", - "modified": "2024-05-08T15:23:01.151995Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3401,14 +3489,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--8797c606-b9ba-4cc3-b00a-80bd84cdebb1", + "id": "relationship--6967d9ed-e1ed-47bf-b3ec-d1f8f81c063d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152075Z", - "modified": "2024-05-08T15:23:01.152075Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3416,17 +3504,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "created": "2024-05-15T03:39:58.441929Z", + "modified": "2024-05-15T03:39:58.441929Z", + "name": "Restrict access to the API server using IP firewall", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", + "external_id": "MS-M9002" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--32aa3123-080a-443c-b57e-ffd73a50cdb2", + "id": "relationship--a88aae08-b346-4048-aca7-8f39eff62238", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152147Z", - "modified": "2024-05-08T15:23:01.152147Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3437,14 +3544,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1baaa766-7e3e-4c92-bd54-f16bc55d66a4", + "id": "relationship--db1ed7de-b7b3-49af-8a60-2a218e26257f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152215Z", - "modified": "2024-05-08T15:23:01.152215Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3455,14 +3562,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--02aaeb8c-105c-46bc-9349-5c892629abc5", + "id": "relationship--83652b7a-c311-4c31-80f1-1213523c6be6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152288Z", - "modified": "2024-05-08T15:23:01.152288Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3473,14 +3580,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4ed2fb12-8fd9-49e4-848e-61cc48626c1f", + "id": "relationship--58f37654-7f31-4431-abe2-a2ae532a73db", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152355Z", - "modified": "2024-05-08T15:23:01.152355Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3491,13 +3598,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9ad82aa9-d56b-4a88-8362-fda4c6a2b347", + "id": "relationship--356c0b42-b5b2-471a-8afa-b64d58931f89", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152422Z", - "modified": "2024-05-08T15:23:01.152422Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3509,30 +3616,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", - "created": "2024-05-08T15:23:01.154072Z", - "modified": "2024-05-08T15:23:01.154072Z", - "name": "Set requests and limits for containers", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", + "id": "course-of-action--3829223f-1341-45b8-8b2a-e914b027e677", + "created": "2024-05-15T03:39:58.537002Z", + "modified": "2024-05-15T03:39:58.537002Z", + "name": "Use cloud storage provider", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", - "external_id": "MS-M9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", + "external_id": "MS-M9030" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c2d01ad0-290e-4a89-ae7c-8560e5e0ce6f", + "id": "relationship--cb8676e6-1c28-47f1-bfab-1e3361101981", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.154258Z", - "modified": "2024-05-08T15:23:01.154258Z", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", "relationship_type": "mitigates", - "source_ref": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--3829223f-1341-45b8-8b2a-e914b027e677", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3543,30 +3650,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "created": "2024-05-08T15:23:01.157008Z", - "modified": "2024-05-08T15:23:01.157008Z", - "name": "Require strong authentication to services", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", + "id": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "created": "2024-05-15T03:39:58.564007Z", + "modified": "2024-05-15T03:39:58.564007Z", + "name": "Restrict file and directory permissions", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", - "external_id": "MS-M9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", + "external_id": "MS-M9016" } + ], + "x_mitre_ids": [ + "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--062c9dc9-2781-4bab-af67-e95556bf14c6", + "id": "relationship--cdde0114-2b9f-4c5b-8780-51dbf7f71135", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.157109Z", - "modified": "2024-05-08T15:23:01.157109Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3577,14 +3687,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--42cedd8a-eaac-4a78-8876-1655bb621c05", + "id": "relationship--79f638dd-87ae-46f4-b151-386bb5c41447", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.157188Z", - "modified": "2024-05-08T15:23:01.157188Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T12:26:46.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3595,14 +3705,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b0490e7e-61ae-45e6-b59a-6aeabd80803f", + "id": "relationship--0bdfc67c-4329-468f-9bbd-6adf54a80fa2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.157259Z", - "modified": "2024-05-08T15:23:01.157259Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3613,33 +3723,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "created": "2024-05-08T15:23:01.159464Z", - "modified": "2024-05-08T15:23:01.159464Z", - "name": "Use managed secret store", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "id": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "created": "2024-05-15T03:39:58.616955Z", + "modified": "2024-05-15T03:39:58.616955Z", + "name": "Remove tools from container images", + "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", - "external_id": "MS-M9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", + "external_id": "MS-M9012" } ], "x_mitre_ids": [ - "M1029" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c3ef337b-3a4a-4309-99f1-6ee18355d712", + "id": "relationship--08b303cc-0d92-495a-acbb-1adc186b05e5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.159564Z", - "modified": "2024-05-08T15:23:01.159564Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3650,14 +3760,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a79d2424-894b-4835-b857-beef9ee7c3ca", + "id": "relationship--5d2dae31-6d25-4949-af0c-9ab2205b6d89", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.159642Z", - "modified": "2024-05-08T15:23:01.159642Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3668,30 +3778,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", - "created": "2024-05-08T15:23:01.161342Z", - "modified": "2024-05-08T15:23:01.161342Z", - "name": "Use cloud storage provider", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", + "id": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "created": "2024-05-15T03:39:58.665283Z", + "modified": "2024-05-15T03:39:58.665283Z", + "name": "Network segmentation", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", - "external_id": "MS-M9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", + "external_id": "MS-M9014" } + ], + "x_mitre_ids": [ + "M1030" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--522c6538-e8a2-4aa7-922c-56c17e658b03", + "id": "relationship--125dc6ef-4d0c-40ba-85a0-c12181500b21", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.161439Z", - "modified": "2024-05-08T15:23:01.161439Z", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3699,36 +3812,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", - "created": "2024-05-08T15:23:01.163165Z", - "modified": "2024-05-08T15:23:01.163165Z", - "name": "Implement data backup strategy", - "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", - "external_id": "MS-M9031" - } - ], - "x_mitre_ids": [ - "M1053" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--adab1f1e-02de-4dc2-9739-fd7ec60bfa44", + "id": "relationship--825453da-b62f-4834-91b6-62a2b063ac32", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.163263Z", - "modified": "2024-05-08T15:23:01.163263Z", - "description": "Take and store data backups from pod mounted volumes for critical workloads", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3736,36 +3830,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", - "created": "2024-05-08T15:23:01.165148Z", - "modified": "2024-05-08T15:23:01.165148Z", - "name": "Multi-factor authentication", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", - "external_id": "MS-M9001" - } - ], - "x_mitre_ids": [ - "M1032" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--6d794426-0ee7-4338-acca-247a712eff03", + "id": "relationship--be98309f-02c6-4dd9-be17-5461b670655a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.165242Z", - "modified": "2024-05-08T15:23:01.165242Z", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3773,32 +3848,16 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", - "created": "2024-05-08T15:23:01.166941Z", - "modified": "2024-05-08T15:23:01.166941Z", - "name": "Use NodeRestriction admission controller", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", - "external_id": "MS-M9027" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--36f88ce0-287b-4ce4-b13f-8fe666379a39", + "id": "relationship--828dc85a-5944-46c0-a41a-bcfcdd8c017d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.167037Z", - "modified": "2024-05-08T15:23:01.167037Z", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3808,32 +3867,34 @@ "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { - "type": "course-of-action", + "type": "relationship", "spec_version": "2.1", - "id": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "created": "2024-05-08T15:23:01.16916Z", - "modified": "2024-05-08T15:23:01.16916Z", - "name": "Restrict exec commands on pods", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", - "external_id": "MS-M9010" - } - ] + "id": "relationship--02d31c2e-4326-4068-a3ba-24d2b58cfacc", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "relationship_type": "mitigates", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c9bf917c-a264-44c7-ba43-8a1ee750d906", + "id": "relationship--00a0c780-7ef5-4525-9fe5-76adab49c046", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.169269Z", - "modified": "2024-05-08T15:23:01.169269Z", - "description": "", + "created": "2022-10-31T06:43:11.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3844,14 +3905,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ae8e9fe9-5da8-4f57-89f1-40980305084b", + "id": "relationship--e49f5a7e-6a59-486c-8418-e9be6b4e4b50", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.169349Z", - "modified": "2024-05-08T15:23:01.169349Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3862,30 +3923,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", - "created": "2024-05-08T15:23:01.171336Z", - "modified": "2024-05-08T15:23:01.171336Z", - "name": "Avoid using web-hosted manifest for Kubelet", - "description": "", + "id": "course-of-action--e2f1f3d4-c5cc-4358-bb8f-65c0973d9197", + "created": "2024-05-15T03:39:58.801554Z", + "modified": "2024-05-15T03:39:58.801554Z", + "name": "Multi-factor authentication", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", - "external_id": "MS-M9032" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", + "external_id": "MS-M9001" } + ], + "x_mitre_ids": [ + "M1032" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5ee4a054-cb3c-4089-ac69-3a15443614a7", + "id": "relationship--327caaad-bf9c-40d1-8613-882e155ae89b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.171462Z", - "modified": "2024-05-08T15:23:01.171462Z", - "description": "", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", "relationship_type": "mitigates", - "source_ref": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--e2f1f3d4-c5cc-4358-bb8f-65c0973d9197", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3896,33 +3960,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "created": "2024-05-08T15:23:01.174809Z", - "modified": "2024-05-08T15:23:01.174809Z", - "name": "Restrict access to the API server using IP firewall", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "id": "course-of-action--2190c012-fadb-4384-a8ea-9b716f16c130", + "created": "2024-05-15T03:39:58.824902Z", + "modified": "2024-05-15T03:39:58.824902Z", + "name": "Set requests and limits for containers", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", - "external_id": "MS-M9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", + "external_id": "MS-M9029" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--fded3496-f58e-4fa8-976d-23792a584ef7", + "id": "relationship--53660289-54b2-48a3-a211-8712940f8a4d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.174977Z", - "modified": "2024-05-08T15:23:01.174977Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--2190c012-fadb-4384-a8ea-9b716f16c130", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3930,17 +3991,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "created": "2024-05-15T03:39:58.873258Z", + "modified": "2024-05-15T03:39:58.873258Z", + "name": "Adhere to least-privilege principle", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", + "external_id": "MS-M9003" + } + ], + "x_mitre_ids": [ + "M1018" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--812e7837-20b0-44ae-a0d1-99d2278c5ea3", + "id": "relationship--75404984-d19a-485b-8d2a-dadd3a68da94", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175071Z", - "modified": "2024-05-08T15:23:01.175071Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3951,14 +4031,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--67588996-c1c1-4ca6-b8e6-bf148a7ab816", + "id": "relationship--5baeb2ee-2860-49b6-b17a-0ff4d816da9c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175145Z", - "modified": "2024-05-08T15:23:01.175145Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3969,14 +4049,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--21f02379-2691-4f7b-b04c-3c5b717a47de", + "id": "relationship--c2889066-6374-4319-a253-ac2c3cffaf0a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175219Z", - "modified": "2024-05-08T15:23:01.175219Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3987,14 +4067,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c0a1afd7-450a-49aa-9535-fad35b0b8ca5", + "id": "relationship--a9073c2e-b070-45d8-808a-826397daf4d1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175281Z", - "modified": "2024-05-08T15:23:01.175281Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4002,36 +4082,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", - "created": "2024-05-08T15:23:01.177457Z", - "modified": "2024-05-08T15:23:01.177457Z", - "name": "Limit access to services over network", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", - "external_id": "MS-M9008" - } - ], - "x_mitre_ids": [ - "M1035" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--436ba6cd-33fb-4799-bcfd-ec9febd3060b", + "id": "relationship--4363a839-d70d-44ca-a38b-4c2be75ce31a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.17757Z", - "modified": "2024-05-08T15:23:01.17757Z", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4039,36 +4100,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "created": "2024-05-08T15:23:01.182138Z", - "modified": "2024-05-08T15:23:01.182138Z", - "name": "Restrict over permissive containers", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", - "external_id": "MS-M9013" - } - ], - "x_mitre_ids": [ - "M1038" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0ccc5fc7-02fb-4ae4-abdb-1d49359bc079", + "id": "relationship--3dd59f3a-1a7a-4a24-8bce-ca0783fe8c21", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182252Z", - "modified": "2024-05-08T15:23:01.182252Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4079,14 +4121,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--02bed0a4-ddf4-456e-afeb-6173869b8843", + "id": "relationship--0952d0d8-68cb-4da5-a9fc-b27d7401b413", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182335Z", - "modified": "2024-05-08T15:23:01.182335Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4097,14 +4139,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--fe7996f1-78aa-4db5-a91f-0431ed0980c1", + "id": "relationship--05761725-e2a0-45e8-9e75-98bb1afd3c7e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182408Z", - "modified": "2024-05-08T15:23:01.182408Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4115,14 +4157,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9bbc5221-f86e-4a12-b517-4ee49a8ee18a", + "id": "relationship--aae2d0cf-2913-4d91-8bde-42c1013c5481", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182481Z", - "modified": "2024-05-08T15:23:01.182481Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4133,14 +4175,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4c290472-432f-4a14-a274-df64e034e145", + "id": "relationship--b084805c-8c2a-4eea-acd0-7bd270534836", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182548Z", - "modified": "2024-05-08T15:23:01.182548Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4151,14 +4193,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bc3c5c8b-d241-4510-9784-f8dfb5834759", + "id": "relationship--3d16ea91-7f1e-4a1f-8891-51d9b2060596", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182615Z", - "modified": "2024-05-08T15:23:01.182615Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4169,14 +4211,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--16ad6a7b-4c9c-4c2d-970f-141c688c62c9", + "id": "relationship--fe1f3e78-4984-40c4-8f61-c7ed410e682b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182685Z", - "modified": "2024-05-08T15:23:01.182685Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4187,14 +4229,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--70d230fd-d5a4-467b-879c-ba44e8d3ef7f", + "id": "relationship--efebe6bb-016d-4b38-b013-2738511aceff", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182751Z", - "modified": "2024-05-08T15:23:01.182751Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4205,14 +4247,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--e44ea84b-4bd2-48ed-ad5d-01727741d276", + "id": "relationship--2adabce8-4f25-483a-b29d-a2cd448c774e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182821Z", - "modified": "2024-05-08T15:23:01.182821Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4220,33 +4262,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", - "created": "2024-05-08T15:23:01.184679Z", - "modified": "2024-05-08T15:23:01.184679Z", - "name": "Remove unused secrets from the cluster", - "description": "Remove unused secrets objects from the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", - "external_id": "MS-M9023" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1b81fd94-ed3d-46cd-8796-67dba801d30b", + "id": "relationship--a1d2b26e-8226-4c29-90ee-39e46e43510e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.184807Z", - "modified": "2024-05-08T15:23:01.184807Z", - "description": "Remove unused secrets objects from the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4254,36 +4280,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "created": "2024-05-08T15:23:01.186864Z", - "modified": "2024-05-08T15:23:01.186864Z", - "name": "Collect logs to remote data storage", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", - "external_id": "MS-M9020" - } - ], - "x_mitre_ids": [ - "M1029" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1a939bbf-5c4e-413d-afa3-6921cf11638c", + "id": "relationship--b296d1ec-ac73-40c0-acc6-3a7fb72a75ea", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.186967Z", - "modified": "2024-05-08T15:23:01.186967Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4294,14 +4301,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--fb6883aa-42e3-4061-8c79-3a14b024013e", + "id": "relationship--e75ae9c8-15fe-4013-9fb7-da717aa8c4f7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.187039Z", - "modified": "2024-05-08T15:23:01.187039Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4309,36 +4316,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", - "created": "2024-05-08T15:23:01.189459Z", - "modified": "2024-05-08T15:23:01.189459Z", - "name": "Network intrusion prevention", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", - "external_id": "MS-M9007" - } - ], - "x_mitre_ids": [ - "M1031" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d4e8607e-95e0-4e42-9afb-4542e4699a88", + "id": "relationship--a7219acc-d428-4110-a9dc-53f801b8b9ca", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.189559Z", - "modified": "2024-05-08T15:23:01.189559Z", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4346,33 +4334,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", - "created": "2024-05-08T15:23:01.191318Z", - "modified": "2024-05-08T15:23:01.191318Z", - "name": "Disable service account auto mount", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", - "external_id": "MS-M9025" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--90cda620-d637-4dcd-b94a-59a88e04176c", + "id": "relationship--016a3b3c-9749-44e1-af9a-01a084821de7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.191413Z", - "modified": "2024-05-08T15:23:01.191413Z", - "description": "", + "created": "2022-10-26T13:06:11.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4383,9 +4355,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", - "created": "2024-05-08T15:23:01.193294Z", - "modified": "2024-05-08T15:23:01.193294Z", + "id": "course-of-action--62db2068-1210-4cd1-bc42-e28b7cdbda37", + "created": "2024-05-15T03:39:59.247322Z", + "modified": "2024-05-15T03:39:59.247322Z", "name": "Secure CI/CD environment", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.", "external_references": [ @@ -4399,13 +4371,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--e2fdd0ef-6d58-4750-bee9-80f39d8694e1", + "id": "relationship--d659f796-5c05-4a27-bcc2-5c6d50432426", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.193396Z", - "modified": "2024-05-08T15:23:01.193396Z", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content", "relationship_type": "mitigates", - "source_ref": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", + "source_ref": "course-of-action--62db2068-1210-4cd1-bc42-e28b7cdbda37", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4417,33 +4389,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", - "created": "2024-05-08T15:23:01.195159Z", - "modified": "2024-05-08T15:23:01.195159Z", - "name": "Avoid running management interface on containers", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", + "id": "course-of-action--6b136b68-ed6a-4bdf-8ffa-41250217a51e", + "created": "2024-05-15T03:39:59.282192Z", + "modified": "2024-05-15T03:39:59.282192Z", + "name": "Avoid using web-hosted manifest for Kubelet", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", - "external_id": "MS-M9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", + "external_id": "MS-M9032" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1750efbb-f8a6-4f36-8a46-5bec00eaed67", + "id": "relationship--6af7db4e-8947-4b07-ae06-103fa2ac6d13", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.195258Z", - "modified": "2024-05-08T15:23:01.195258Z", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--6b136b68-ed6a-4bdf-8ffa-41250217a51e", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4454,33 +4423,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "created": "2024-05-08T15:23:01.19739Z", - "modified": "2024-05-08T15:23:01.19739Z", - "name": "Remove tools from container images", - "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", + "id": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "created": "2024-05-15T03:39:59.304208Z", + "modified": "2024-05-15T03:39:59.304208Z", + "name": "Require strong authentication to services", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", - "external_id": "MS-M9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", + "external_id": "MS-M9009" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--306fd68f-9390-428f-a706-b94fec13a935", + "id": "relationship--896b6a49-29b4-4739-ad32-42e4bb6ebd77", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.197569Z", - "modified": "2024-05-08T15:23:01.197569Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4491,14 +4457,32 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b5bab9ed-13d4-4f25-947d-3b5055fef187", + "id": "relationship--e79f61d1-33db-4367-920f-64ce52f833bd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.197647Z", - "modified": "2024-05-08T15:23:01.197647Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--914fa74c-4dc2-464c-8f4b-279df31b7561", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "relationship_type": "mitigates", + "source_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4509,33 +4493,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "created": "2024-05-08T15:23:01.2003Z", - "modified": "2024-05-08T15:23:01.2003Z", - "name": "Restrict file and directory permissions", - "description": "", + "id": "course-of-action--e1cf56ed-8efd-4215-b712-175bb68464a5", + "created": "2024-05-15T03:39:59.353263Z", + "modified": "2024-05-15T03:39:59.353263Z", + "name": "Remove unused secrets from the cluster", + "description": "Remove unused secrets objects from the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", - "external_id": "MS-M9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", + "external_id": "MS-M9023" } - ], - "x_mitre_ids": [ - "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--12817f60-cc8e-4dc0-978f-982a926c7884", + "id": "relationship--fa1575b5-dbe2-492d-ae88-635e4372ee0b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.200411Z", - "modified": "2024-05-08T15:23:01.200411Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Remove unused secrets objects from the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--e1cf56ed-8efd-4215-b712-175bb68464a5", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4543,17 +4524,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "created": "2024-05-15T03:39:59.38109Z", + "modified": "2024-05-15T03:39:59.38109Z", + "name": "Use managed secret store", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", + "external_id": "MS-M9022" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3a5fbb4b-37c9-4241-95e6-e5bfcbd1d237", + "id": "relationship--b26b02dc-4166-400c-acb4-cd097a5daf22", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.200497Z", - "modified": "2024-05-08T15:23:01.200497Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4564,14 +4564,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c8de37c6-deea-416e-a650-3109ca91b365", + "id": "relationship--cee479ef-ee2a-418b-91f3-6c3919c42442", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.200566Z", - "modified": "2024-05-08T15:23:01.200566Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4582,30 +4582,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", - "created": "2024-05-08T15:23:01.203334Z", - "modified": "2024-05-08T15:23:01.203334Z", - "name": "Gate images pushed to registries", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", + "id": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", + "created": "2024-05-15T03:39:59.428902Z", + "modified": "2024-05-15T03:39:59.428902Z", + "name": "Image assurance policy", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", - "external_id": "MS-M9005.002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", + "external_id": "MS-M9005" } ], "x_mitre_ids": [ "M1016", "M1045" - ], - "x_mitre_parent_mitigation": "MS-M9005" + ] }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "created": "2024-05-08T15:23:01.205914Z", - "modified": "2024-05-08T15:23:01.205914Z", + "id": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "created": "2024-05-15T03:39:59.440682Z", + "modified": "2024-05-15T03:39:59.440682Z", "name": "Gate generated images in CI/CD pipeline", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements.", "external_references": [ @@ -4624,29 +4623,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "created": "2024-05-08T15:23:01.209235Z", - "modified": "2024-05-08T15:23:01.209235Z", - "name": "Image assurance policy", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", + "id": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "created": "2024-05-15T03:39:59.446895Z", + "modified": "2024-05-15T03:39:59.446895Z", + "name": "Gate images pushed to registries", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", - "external_id": "MS-M9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", + "external_id": "MS-M9005.002" } ], "x_mitre_ids": [ "M1016", "M1045" - ] + ], + "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", - "created": "2024-05-08T15:23:01.213865Z", - "modified": "2024-05-08T15:23:01.213865Z", + "id": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", + "created": "2024-05-15T03:39:59.454552Z", + "modified": "2024-05-15T03:39:59.454552Z", "name": "Gate images deployed to Kubernetes cluster", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements. This can include limiting images to be deployed only from trusted registries, to have digital signature or pass vulnerability scanning and other checks. This can prevent potential adversaries from using their own malicious images in the cluster. Also, this ensures that only images that passed the security compliance policies of the organization are deployed in the cluster. Kubernetes admission controller mechanism is one of the commonly used tools for implementing such policy.", "external_references": [ @@ -4665,13 +4665,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7de0fd47-0ec4-4a60-b21c-2b045b090aae", + "id": "relationship--b3252ecd-ebb5-497f-a226-1670c2aa4ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.213976Z", - "modified": "2024-05-08T15:23:01.213976Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:59.461881Z", + "modified": "2024-05-15T06:39:59.461896Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4683,13 +4683,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ac2fd283-0d84-47e7-aaad-c507a043680f", + "id": "relationship--c791a374-fcd5-445c-8a4d-5fefebfda731", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214056Z", - "modified": "2024-05-08T15:23:01.214056Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:59.468661Z", + "modified": "2024-05-15T06:39:59.46868Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4701,13 +4701,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--55dda607-c695-48bd-85db-ea51a8c375fc", + "id": "relationship--06a78821-4833-4c71-a514-2adf1489ab28", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214133Z", - "modified": "2024-05-08T15:23:01.214133Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:59.476015Z", + "modified": "2024-05-15T06:39:59.476039Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4719,14 +4719,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9b510739-699f-483e-8e27-bad3a4cc8bd4", + "id": "relationship--6048772c-aa83-4a31-8542-ee56de8e75f5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214208Z", - "modified": "2024-05-08T15:23:01.214208Z", - "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", + "created": "2024-05-15T06:39:59.484265Z", + "modified": "2024-05-15T06:39:59.48429Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4737,14 +4737,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a908c426-cab6-4007-8f8b-2ae3b3dbe354", + "id": "relationship--030c2e1b-fded-490b-9840-70eb558223d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214286Z", - "modified": "2024-05-08T15:23:01.214286Z", + "created": "2024-05-15T06:39:59.494915Z", + "modified": "2024-05-15T06:39:59.494961Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4755,14 +4755,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9b0ae1d0-00ca-49a6-b481-476afd6db243", + "id": "relationship--f0817eb5-ce3c-473b-ac87-594a5fbfcb1d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214357Z", - "modified": "2024-05-08T15:23:01.214357Z", + "created": "2024-05-15T06:39:59.515232Z", + "modified": "2024-05-15T06:39:59.515286Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4773,14 +4773,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--42002b19-6fc5-4840-938a-b41d353a58f1", + "id": "relationship--cbfcf7ba-157c-46ad-ab5e-9995a1d17b14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214427Z", - "modified": "2024-05-08T15:23:01.214427Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.530478Z", + "modified": "2024-05-15T06:39:59.530528Z", + "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4791,14 +4791,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--160b7870-ff6f-447e-aae6-ad7257da8dad", + "id": "relationship--3c94248c-554b-4f5e-93f3-be239aa80704", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214493Z", - "modified": "2024-05-08T15:23:01.214493Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.545464Z", + "modified": "2024-05-15T06:39:59.545531Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4809,14 +4809,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c31e800b-e36d-4af6-9eba-6774f2897d89", + "id": "relationship--ba036427-b112-443e-922a-6effa4289fe2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214558Z", - "modified": "2024-05-08T15:23:01.214558Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.563827Z", + "modified": "2024-05-15T06:39:59.563876Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4827,14 +4827,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--6a42219b-bcad-4d32-b411-86048a089879", + "id": "relationship--a2938105-842b-4b9a-9bf3-0c0f9be5dc87", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214624Z", - "modified": "2024-05-08T15:23:01.214624Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.580333Z", + "modified": "2024-05-15T06:39:59.580383Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4845,13 +4845,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--76b13565-9280-4a9b-8b56-a00418f65956", + "id": "relationship--c8b8a32d-261e-4cf8-89dd-c0f6e014ad7b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214694Z", - "modified": "2024-05-08T15:23:01.214694Z", + "created": "2024-05-15T06:39:59.595737Z", + "modified": "2024-05-15T06:39:59.595791Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4863,13 +4863,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3d8ed52f-5a1b-4bdb-8bae-7c7b5929053a", + "id": "relationship--bd2b09b1-64d3-4e6f-a770-2c1c3e095d96", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.21476Z", - "modified": "2024-05-08T15:23:01.21476Z", + "created": "2024-05-15T06:39:59.61022Z", + "modified": "2024-05-15T06:39:59.610252Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4881,13 +4881,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0470cfde-1acd-4e6d-965b-c2ffe549a10a", + "id": "relationship--23af8533-2bc7-4aae-9467-c849f78471af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214825Z", - "modified": "2024-05-08T15:23:01.214825Z", + "created": "2024-05-15T06:39:59.62498Z", + "modified": "2024-05-15T06:39:59.625021Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4899,13 +4899,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--eae9cf0e-57b7-421c-86e7-d65c10164263", + "id": "relationship--f05d85e0-511e-4d7a-871d-a2273387d507", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.21489Z", - "modified": "2024-05-08T15:23:01.21489Z", + "created": "2024-05-15T06:39:59.640478Z", + "modified": "2024-05-15T06:39:59.640515Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4917,13 +4917,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1bdee8d7-0eaf-40d6-947e-5919479b6c7c", + "id": "relationship--4489deb5-c276-47fe-93da-d8c7c8721356", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.21497Z", - "modified": "2024-05-08T15:23:01.21497Z", + "created": "2024-05-15T06:39:59.664746Z", + "modified": "2024-05-15T06:39:59.664789Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4935,13 +4935,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b831d0d0-4da9-4b3e-98c7-702ef5c75a1b", + "id": "relationship--00b767d4-2c9d-44c0-952c-681b46ac85e8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.215036Z", - "modified": "2024-05-08T15:23:01.215036Z", + "created": "2024-05-15T06:39:59.679191Z", + "modified": "2024-05-15T06:39:59.679244Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4953,13 +4953,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--412ded4c-b83f-49ee-b96c-f69ec33e4ee7", + "id": "relationship--a4e8ee97-41c6-49e0-a618-7df4952ff2ad", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.2151Z", - "modified": "2024-05-08T15:23:01.2151Z", + "created": "2024-05-15T06:39:59.694044Z", + "modified": "2024-05-15T06:39:59.694091Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4971,13 +4971,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9b0921fc-31ec-4d29-aa8c-ba904c354e31", + "id": "relationship--c85ccad8-6ab3-4025-ac93-c3f5139205cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.215168Z", - "modified": "2024-05-08T15:23:01.215168Z", + "created": "2024-05-15T06:39:59.708276Z", + "modified": "2024-05-15T06:39:59.708321Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4989,13 +4989,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--8f545287-e6e8-4020-ba06-ef2a8fe49adf", + "id": "relationship--cfd232d4-5096-4e74-8013-18bf73d99ed7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.215232Z", - "modified": "2024-05-08T15:23:01.215232Z", + "created": "2024-05-15T06:39:59.722497Z", + "modified": "2024-05-15T06:39:59.722539Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -5007,10 +5007,10 @@ { "type": "x-mitre-matrix", "spec_version": "2.1", - "id": "x-mitre-matrix--11ac2cbb-ba21-4607-a2e4-16c89a0b09a5", + "id": "x-mitre-matrix--18d00d07-3f91-46dd-a2f3-f0f1cb83b13c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:23:01.229Z", + "modified": "2024-05-15T06:39:59.735Z", "name": "Threat Matrix for Kubernetes", "external_references": [ { @@ -5054,4 +5054,4 @@ "x_mitre_version": "0.1" } ] -} \ No newline at end of file +} diff --git a/build/tmfk_attack_compatible_b885d18.json b/build/tmfk_attack_compatible_b885d18.json index ac423f6..615156e 100644 --- a/build/tmfk_attack_compatible_b885d18.json +++ b/build/tmfk_attack_compatible_b885d18.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f705966a-53b9-4783-81db-90b7b014864f", + "id": "bundle--f3f9e8d1-37fc-43cd-8829-c88c5b6e0a97", "objects": [ { "type": "x-mitre-collection", @@ -8,7 +8,7 @@ "id": "x-mitre-collection--704a5def-03fc-45c2-8513-e863d808c363", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:23:01.242847Z", + "modified": "2024-05-15T06:39:59.748428Z", "name": "Threat Matrix for Kubernetes", "description": "The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", "x_mitre_attack_spec_version": "2.1.0", @@ -54,31 +54,31 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", - "object_modified": "2023-01-23T19:22:40.000Z" + "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", - "object_modified": "2022-10-27T17:00:14.000Z" + "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -86,79 +86,83 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "object_modified": "2022-12-05T07:54:00.000Z" }, - { - "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "object_modified": "2022-10-28T11:26:39.000Z" - }, { "object_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "object_modified": "2022-12-05T07:54:00.000Z" }, + { + "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "object_modified": "2023-01-23T19:22:40.000Z" + }, + { + "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "object_modified": "2022-10-28T11:26:39.000Z" + }, { "object_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -166,616 +170,612 @@ "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", - "object_modified": "2022-12-05T07:54:00.000Z" - }, - { - "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", - "object_modified": "2024-05-08T15:23:01.114222Z" + "object_ref": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "object_modified": "2024-05-15T03:39:57.825656Z" }, { - "object_ref": "relationship--d1675c61-27a2-46f1-b9b9-3da8f9fa7b9f", - "object_modified": "2024-05-08T15:23:01.115245Z" + "object_ref": "relationship--47e902dc-d050-4ac0-8ff6-d601c75392c2", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", - "object_modified": "2024-05-08T15:23:01.117049Z" + "object_ref": "relationship--3972ebaf-03b8-42b0-81c7-bdf7fb29c0bb", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--5b574b6b-a4d0-47e8-8d83-b001e9633fcc", - "object_modified": "2024-05-08T15:23:01.117155Z" + "object_ref": "course-of-action--be336cd0-0144-4b41-bb84-5ac767fc4e3a", + "object_modified": "2024-05-15T03:39:57.842372Z" }, { - "object_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "object_modified": "2024-05-08T15:23:01.119287Z" + "object_ref": "relationship--88363a55-a2fd-43fa-92ba-a7f59d890383", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--6a676866-90b9-4ac9-81d8-f4fa5b86e958", - "object_modified": "2024-05-08T15:23:01.119394Z" + "object_ref": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "object_modified": "2024-05-15T03:39:57.857619Z" }, { - "object_ref": "relationship--76657bf1-fa01-4bbc-b869-7fc16c2d8322", - "object_modified": "2024-05-08T15:23:01.119485Z" + "object_ref": "relationship--2b560cb5-3d21-4600-8190-039c71ab48cd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", - "object_modified": "2024-05-08T15:23:01.121311Z" + "object_ref": "relationship--2302f090-74f9-4954-ae00-bff492115838", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--5ad126e4-a6cb-462b-8e7c-33d99a40f953", - "object_modified": "2024-05-08T15:23:01.121429Z" + "object_ref": "course-of-action--f7e1a334-e6b4-4304-810c-2e86945b3a86", + "object_modified": "2024-05-15T03:39:57.878398Z" }, { - "object_ref": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", - "object_modified": "2024-05-08T15:23:01.123399Z" + "object_ref": "relationship--c7a61598-c44a-43f1-bbdc-dc7977468cd9", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--3e13da7d-4529-42be-832e-5aec578dbd65", - "object_modified": "2024-05-08T15:23:01.1235Z" + "object_ref": "course-of-action--df4e2e90-5dc4-42c3-99a7-670f85d8bf9b", + "object_modified": "2024-05-15T03:39:57.888875Z" }, { - "object_ref": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", - "object_modified": "2024-05-08T15:23:01.125419Z" + "object_ref": "relationship--d3a24ed6-a20a-427a-8728-747a9e9cc251", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "relationship--51444f68-fe63-4319-bbcc-2c09a5c9a834", - "object_modified": "2024-05-08T15:23:01.125521Z" + "object_ref": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", + "object_modified": "2024-05-15T03:39:57.901088Z" }, { - "object_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "object_modified": "2024-05-08T15:23:01.127841Z" + "object_ref": "relationship--668359c0-229e-4837-8c37-3d08488c88bb", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--3a7acb8c-842c-4448-9109-4fd286ba7bd4", - "object_modified": "2024-05-08T15:23:01.127938Z" + "object_ref": "relationship--8b302aa6-00b1-4fed-88a8-0f740277d6a6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--26d9ed03-0515-4527-9566-60c3a63bf48e", - "object_modified": "2024-05-08T15:23:01.128015Z" + "object_ref": "course-of-action--d6506d30-d93b-4adb-aaa5-dc101f76c185", + "object_modified": "2024-05-15T03:39:57.937564Z" }, { - "object_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "object_modified": "2024-05-08T15:23:01.13165Z" + "object_ref": "relationship--b2cac5d0-9da1-4590-a36a-9f4df984adb0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9cfd33ce-2528-4e82-ab8a-df5174f05c32", - "object_modified": "2024-05-08T15:23:01.131768Z" + "object_ref": "course-of-action--5e4fd4f0-94d4-47f7-a357-46f448722eaf", + "object_modified": "2024-05-15T03:39:57.960968Z" }, { - "object_ref": "relationship--61c3b504-1806-4a67-af11-164a1c904f37", - "object_modified": "2024-05-08T15:23:01.131862Z" + "object_ref": "relationship--441effaa-fc37-4d35-a302-7dc72079b3f6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--30b19dd5-db4d-4c84-8256-c658bce46c93", - "object_modified": "2024-05-08T15:23:01.131933Z" + "object_ref": "course-of-action--fc86c66d-312b-40d2-a364-63e5c9730217", + "object_modified": "2024-05-15T03:39:57.977696Z" }, { - "object_ref": "relationship--65208f94-dbff-4d67-9543-a49c72327f9a", - "object_modified": "2024-05-08T15:23:01.132001Z" + "object_ref": "relationship--1621a410-66d0-47b3-a2e6-f1ac69d2e400", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "object_modified": "2024-05-08T15:23:01.142495Z" + "object_ref": "course-of-action--6ec9004b-0179-4fc8-8fe4-1f43cfdd6d2b", + "object_modified": "2024-05-15T03:39:57.99612Z" }, { - "object_ref": "relationship--19f8e6fe-02ed-4095-91a6-92e18df62fe4", - "object_modified": "2024-05-08T15:23:01.142614Z" + "object_ref": "relationship--82fef1ca-0515-4996-89d5-92c7eddb27a7", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "relationship--46c56f83-318c-4e97-b46c-9f3ae3b081fc", - "object_modified": "2024-05-08T15:23:01.142694Z" + "object_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "object_modified": "2024-05-15T03:39:58.025891Z" }, { - "object_ref": "relationship--059abccd-2bb9-4c26-a720-e2b70fec315c", - "object_modified": "2024-05-08T15:23:01.142766Z" + "object_ref": "relationship--e78b1260-67c2-4dba-9811-5671ecc86d4e", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--c25563e5-df67-4eb9-a38e-10cf72433219", - "object_modified": "2024-05-08T15:23:01.142835Z" + "object_ref": "relationship--b7c28d09-b3e4-4ebf-9e30-dd341254a9bc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--56609145-4706-4903-ba25-be7065847487", - "object_modified": "2024-05-08T15:23:01.142902Z" + "object_ref": "relationship--47c55680-5536-46c0-93e2-7ba43eb9e776", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--690fcf22-446b-4d66-a392-62b7cb419180", - "object_modified": "2024-05-08T15:23:01.14297Z" + "object_ref": "relationship--b380fad0-5d5e-4390-ad96-97a5ac1203cc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--5cf19607-dffe-4d65-a952-5b76d622c8d8", - "object_modified": "2024-05-08T15:23:01.143036Z" + "object_ref": "relationship--2f8329ae-7964-4398-b2fe-47ae58c8994b", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--27423ae4-5d67-41d1-b053-4ff9b63c1eb5", - "object_modified": "2024-05-08T15:23:01.143104Z" + "object_ref": "relationship--445c9b62-f257-4485-baed-1a57de978d8e", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--4ba58c15-4a2d-47e7-9148-bbbd0ac1ee71", - "object_modified": "2024-05-08T15:23:01.14317Z" + "object_ref": "relationship--60b78705-22c4-4c7f-8e76-e91f04453866", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--3fcf3afc-7c69-4425-9015-53926bf23f35", - "object_modified": "2024-05-08T15:23:01.143235Z" + "object_ref": "relationship--0f8c253f-8051-4d59-b491-6c662b10d7df", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--b59f314e-f494-4ca6-9f68-403893c8ad81", - "object_modified": "2024-05-08T15:23:01.14331Z" + "object_ref": "relationship--fbd533ab-0bd9-4325-bfcc-d83d673db51d", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--5d41b5c6-291f-4418-9033-062d980536f2", - "object_modified": "2024-05-08T15:23:01.143382Z" + "object_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "object_modified": "2024-05-15T03:39:58.170667Z" }, { - "object_ref": "relationship--aef66010-24c9-469d-9e61-8fd1e364cbef", - "object_modified": "2024-05-08T15:23:01.143456Z" + "object_ref": "relationship--7453d151-70fa-441e-8832-94fd974fd186", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--621981c6-f3b5-4e15-acd8-544647a7e4a9", - "object_modified": "2024-05-08T15:23:01.143522Z" + "object_ref": "relationship--6a6c93d0-188f-4119-ab20-91b17bdf32f3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1be627dd-375b-4c63-b321-a7e84c8c4a6f", - "object_modified": "2024-05-08T15:23:01.143588Z" + "object_ref": "relationship--436ea5cb-3d1b-44fc-bb05-d996cf30808a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--30fa1766-baae-4c3a-9257-2eafddc67bf9", - "object_modified": "2024-05-08T15:23:01.143661Z" + "object_ref": "relationship--823d7851-b594-47d3-97ed-a9c568978f7b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--45dec0fe-060f-4283-965a-662f5aad46c6", - "object_modified": "2024-05-08T15:23:01.143726Z" + "object_ref": "relationship--6cac8de5-3b27-49a4-8c07-cb2d15647466", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--ae9aef0c-27d9-475e-b7fb-08332ae5b518", - "object_modified": "2024-05-08T15:23:01.143793Z" + "object_ref": "relationship--41040ed7-7abb-4f07-bd4e-042144c5cbfc", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--7a103bef-f288-4179-860b-39e0f3a95609", - "object_modified": "2024-05-08T15:23:01.143859Z" + "object_ref": "relationship--82b39550-3b6a-4195-af43-2475c0f99035", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "object_modified": "2024-05-08T15:23:01.147505Z" + "object_ref": "course-of-action--f112a1ed-8a40-4df5-9315-ecebbc4d886f", + "object_modified": "2024-05-15T03:39:58.266117Z" }, { - "object_ref": "relationship--f8a571d5-ea3d-496e-8943-bcfc0103b575", - "object_modified": "2024-05-08T15:23:01.14761Z" + "object_ref": "relationship--125fd123-9f94-4bed-9ff1-a4cc5ae59c1d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a73b5a9d-acd5-4fea-a45c-482f2a7631bf", - "object_modified": "2024-05-08T15:23:01.147691Z" + "object_ref": "course-of-action--a247c53d-e7a6-4d80-aa48-6fe42967652c", + "object_modified": "2024-05-15T03:39:58.279406Z" }, { - "object_ref": "relationship--41d76943-df71-46e1-af89-a256a85aa9aa", - "object_modified": "2024-05-08T15:23:01.147761Z" + "object_ref": "relationship--b9f4b92e-b977-4971-a42d-84dd123d2f73", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c96c9e19-f90b-467b-9acd-257e04ae50a7", - "object_modified": "2024-05-08T15:23:01.147831Z" + "object_ref": "course-of-action--1dced729-7647-4645-bc44-44a8e0ec09c6", + "object_modified": "2024-05-15T03:39:58.290604Z" }, { - "object_ref": "relationship--172f7807-6ce2-4b72-839f-c09169437aa3", - "object_modified": "2024-05-08T15:23:01.147905Z" + "object_ref": "relationship--feee0640-5a1c-4b1a-aee7-8ecf910ffa54", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--88b9667b-ed8a-4390-b442-38f6034f65fe", - "object_modified": "2024-05-08T15:23:01.147977Z" + "object_ref": "course-of-action--47f9cbda-6403-4d2b-9b59-6a992d1f5980", + "object_modified": "2024-05-15T03:39:58.300022Z" }, { - "object_ref": "relationship--932c3ddb-6fbf-4877-b681-6fa637df55d8", - "object_modified": "2024-05-08T15:23:01.148044Z" + "object_ref": "relationship--d2069d2d-a20a-4b3e-a027-acd5908ae5e8", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "object_modified": "2024-05-08T15:23:01.151887Z" + "object_ref": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "object_modified": "2024-05-15T03:39:58.31433Z" }, { - "object_ref": "relationship--ea20a874-c3f9-44cf-929c-61c793cecbfc", - "object_modified": "2024-05-08T15:23:01.151995Z" + "object_ref": "relationship--514630be-e767-4d04-9498-748c96fed3fd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--8797c606-b9ba-4cc3-b00a-80bd84cdebb1", - "object_modified": "2024-05-08T15:23:01.152075Z" + "object_ref": "relationship--d92430ae-9da0-403a-a71c-e4c9ab7bcb79", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--32aa3123-080a-443c-b57e-ffd73a50cdb2", - "object_modified": "2024-05-08T15:23:01.152147Z" + "object_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "object_modified": "2024-05-15T03:39:58.351488Z" }, { - "object_ref": "relationship--1baaa766-7e3e-4c92-bd54-f16bc55d66a4", - "object_modified": "2024-05-08T15:23:01.152215Z" + "object_ref": "relationship--21c72327-1686-4bb2-aafa-29fc826de0f4", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--02aaeb8c-105c-46bc-9349-5c892629abc5", - "object_modified": "2024-05-08T15:23:01.152288Z" + "object_ref": "relationship--4d297883-fc17-426c-8501-949f04b4b670", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4ed2fb12-8fd9-49e4-848e-61cc48626c1f", - "object_modified": "2024-05-08T15:23:01.152355Z" + "object_ref": "relationship--7a5e857e-7a4b-4759-a40c-60d29efec3e3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9ad82aa9-d56b-4a88-8362-fda4c6a2b347", - "object_modified": "2024-05-08T15:23:01.152422Z" + "object_ref": "relationship--6967d9ed-e1ed-47bf-b3ec-d1f8f81c063d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", - "object_modified": "2024-05-08T15:23:01.154072Z" + "object_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "object_modified": "2024-05-15T03:39:58.441929Z" }, { - "object_ref": "relationship--c2d01ad0-290e-4a89-ae7c-8560e5e0ce6f", - "object_modified": "2024-05-08T15:23:01.154258Z" + "object_ref": "relationship--a88aae08-b346-4048-aca7-8f39eff62238", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "object_modified": "2024-05-08T15:23:01.157008Z" + "object_ref": "relationship--db1ed7de-b7b3-49af-8a60-2a218e26257f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--062c9dc9-2781-4bab-af67-e95556bf14c6", - "object_modified": "2024-05-08T15:23:01.157109Z" + "object_ref": "relationship--83652b7a-c311-4c31-80f1-1213523c6be6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--42cedd8a-eaac-4a78-8876-1655bb621c05", - "object_modified": "2024-05-08T15:23:01.157188Z" + "object_ref": "relationship--58f37654-7f31-4431-abe2-a2ae532a73db", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b0490e7e-61ae-45e6-b59a-6aeabd80803f", - "object_modified": "2024-05-08T15:23:01.157259Z" + "object_ref": "relationship--356c0b42-b5b2-471a-8afa-b64d58931f89", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "object_modified": "2024-05-08T15:23:01.159464Z" + "object_ref": "course-of-action--3829223f-1341-45b8-8b2a-e914b027e677", + "object_modified": "2024-05-15T03:39:58.537002Z" }, { - "object_ref": "relationship--c3ef337b-3a4a-4309-99f1-6ee18355d712", - "object_modified": "2024-05-08T15:23:01.159564Z" + "object_ref": "relationship--cb8676e6-1c28-47f1-bfab-1e3361101981", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a79d2424-894b-4835-b857-beef9ee7c3ca", - "object_modified": "2024-05-08T15:23:01.159642Z" + "object_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "object_modified": "2024-05-15T03:39:58.564007Z" }, { - "object_ref": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", - "object_modified": "2024-05-08T15:23:01.161342Z" + "object_ref": "relationship--cdde0114-2b9f-4c5b-8780-51dbf7f71135", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--522c6538-e8a2-4aa7-922c-56c17e658b03", - "object_modified": "2024-05-08T15:23:01.161439Z" + "object_ref": "relationship--79f638dd-87ae-46f4-b151-386bb5c41447", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", - "object_modified": "2024-05-08T15:23:01.163165Z" + "object_ref": "relationship--0bdfc67c-4329-468f-9bbd-6adf54a80fa2", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--adab1f1e-02de-4dc2-9739-fd7ec60bfa44", - "object_modified": "2024-05-08T15:23:01.163263Z" + "object_ref": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "object_modified": "2024-05-15T03:39:58.616955Z" }, { - "object_ref": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", - "object_modified": "2024-05-08T15:23:01.165148Z" + "object_ref": "relationship--08b303cc-0d92-495a-acbb-1adc186b05e5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--6d794426-0ee7-4338-acca-247a712eff03", - "object_modified": "2024-05-08T15:23:01.165242Z" + "object_ref": "relationship--5d2dae31-6d25-4949-af0c-9ab2205b6d89", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", - "object_modified": "2024-05-08T15:23:01.166941Z" + "object_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "object_modified": "2024-05-15T03:39:58.665283Z" }, { - "object_ref": "relationship--36f88ce0-287b-4ce4-b13f-8fe666379a39", - "object_modified": "2024-05-08T15:23:01.167037Z" + "object_ref": "relationship--125dc6ef-4d0c-40ba-85a0-c12181500b21", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "object_modified": "2024-05-08T15:23:01.16916Z" + "object_ref": "relationship--825453da-b62f-4834-91b6-62a2b063ac32", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--c9bf917c-a264-44c7-ba43-8a1ee750d906", - "object_modified": "2024-05-08T15:23:01.169269Z" + "object_ref": "relationship--be98309f-02c6-4dd9-be17-5461b670655a", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--ae8e9fe9-5da8-4f57-89f1-40980305084b", - "object_modified": "2024-05-08T15:23:01.169349Z" + "object_ref": "relationship--828dc85a-5944-46c0-a41a-bcfcdd8c017d", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", - "object_modified": "2024-05-08T15:23:01.171336Z" + "object_ref": "relationship--02d31c2e-4326-4068-a3ba-24d2b58cfacc", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--5ee4a054-cb3c-4089-ac69-3a15443614a7", - "object_modified": "2024-05-08T15:23:01.171462Z" + "object_ref": "relationship--00a0c780-7ef5-4525-9fe5-76adab49c046", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "object_modified": "2024-05-08T15:23:01.174809Z" + "object_ref": "relationship--e49f5a7e-6a59-486c-8418-e9be6b4e4b50", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--fded3496-f58e-4fa8-976d-23792a584ef7", - "object_modified": "2024-05-08T15:23:01.174977Z" + "object_ref": "course-of-action--e2f1f3d4-c5cc-4358-bb8f-65c0973d9197", + "object_modified": "2024-05-15T03:39:58.801554Z" }, { - "object_ref": "relationship--812e7837-20b0-44ae-a0d1-99d2278c5ea3", - "object_modified": "2024-05-08T15:23:01.175071Z" + "object_ref": "relationship--327caaad-bf9c-40d1-8613-882e155ae89b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--67588996-c1c1-4ca6-b8e6-bf148a7ab816", - "object_modified": "2024-05-08T15:23:01.175145Z" + "object_ref": "course-of-action--2190c012-fadb-4384-a8ea-9b716f16c130", + "object_modified": "2024-05-15T03:39:58.824902Z" }, { - "object_ref": "relationship--21f02379-2691-4f7b-b04c-3c5b717a47de", - "object_modified": "2024-05-08T15:23:01.175219Z" + "object_ref": "relationship--53660289-54b2-48a3-a211-8712940f8a4d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c0a1afd7-450a-49aa-9535-fad35b0b8ca5", - "object_modified": "2024-05-08T15:23:01.175281Z" + "object_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "object_modified": "2024-05-15T03:39:58.873258Z" }, { - "object_ref": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", - "object_modified": "2024-05-08T15:23:01.177457Z" + "object_ref": "relationship--75404984-d19a-485b-8d2a-dadd3a68da94", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--436ba6cd-33fb-4799-bcfd-ec9febd3060b", - "object_modified": "2024-05-08T15:23:01.17757Z" + "object_ref": "relationship--5baeb2ee-2860-49b6-b17a-0ff4d816da9c", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "object_modified": "2024-05-08T15:23:01.182138Z" + "object_ref": "relationship--c2889066-6374-4319-a253-ac2c3cffaf0a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--0ccc5fc7-02fb-4ae4-abdb-1d49359bc079", - "object_modified": "2024-05-08T15:23:01.182252Z" + "object_ref": "relationship--a9073c2e-b070-45d8-808a-826397daf4d1", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--02bed0a4-ddf4-456e-afeb-6173869b8843", - "object_modified": "2024-05-08T15:23:01.182335Z" + "object_ref": "relationship--4363a839-d70d-44ca-a38b-4c2be75ce31a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--fe7996f1-78aa-4db5-a91f-0431ed0980c1", - "object_modified": "2024-05-08T15:23:01.182408Z" + "object_ref": "relationship--3dd59f3a-1a7a-4a24-8bce-ca0783fe8c21", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9bbc5221-f86e-4a12-b517-4ee49a8ee18a", - "object_modified": "2024-05-08T15:23:01.182481Z" + "object_ref": "relationship--0952d0d8-68cb-4da5-a9fc-b27d7401b413", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4c290472-432f-4a14-a274-df64e034e145", - "object_modified": "2024-05-08T15:23:01.182548Z" + "object_ref": "relationship--05761725-e2a0-45e8-9e75-98bb1afd3c7e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--bc3c5c8b-d241-4510-9784-f8dfb5834759", - "object_modified": "2024-05-08T15:23:01.182615Z" + "object_ref": "relationship--aae2d0cf-2913-4d91-8bde-42c1013c5481", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--16ad6a7b-4c9c-4c2d-970f-141c688c62c9", - "object_modified": "2024-05-08T15:23:01.182685Z" + "object_ref": "relationship--b084805c-8c2a-4eea-acd0-7bd270534836", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--70d230fd-d5a4-467b-879c-ba44e8d3ef7f", - "object_modified": "2024-05-08T15:23:01.182751Z" + "object_ref": "relationship--3d16ea91-7f1e-4a1f-8891-51d9b2060596", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--e44ea84b-4bd2-48ed-ad5d-01727741d276", - "object_modified": "2024-05-08T15:23:01.182821Z" + "object_ref": "relationship--fe1f3e78-4984-40c4-8f61-c7ed410e682b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", - "object_modified": "2024-05-08T15:23:01.184679Z" + "object_ref": "relationship--efebe6bb-016d-4b38-b013-2738511aceff", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1b81fd94-ed3d-46cd-8796-67dba801d30b", - "object_modified": "2024-05-08T15:23:01.184807Z" + "object_ref": "relationship--2adabce8-4f25-483a-b29d-a2cd448c774e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "object_modified": "2024-05-08T15:23:01.186864Z" + "object_ref": "relationship--a1d2b26e-8226-4c29-90ee-39e46e43510e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1a939bbf-5c4e-413d-afa3-6921cf11638c", - "object_modified": "2024-05-08T15:23:01.186967Z" + "object_ref": "relationship--b296d1ec-ac73-40c0-acc6-3a7fb72a75ea", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--fb6883aa-42e3-4061-8c79-3a14b024013e", - "object_modified": "2024-05-08T15:23:01.187039Z" + "object_ref": "relationship--e75ae9c8-15fe-4013-9fb7-da717aa8c4f7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", - "object_modified": "2024-05-08T15:23:01.189459Z" + "object_ref": "relationship--a7219acc-d428-4110-a9dc-53f801b8b9ca", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d4e8607e-95e0-4e42-9afb-4542e4699a88", - "object_modified": "2024-05-08T15:23:01.189559Z" + "object_ref": "relationship--016a3b3c-9749-44e1-af9a-01a084821de7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", - "object_modified": "2024-05-08T15:23:01.191318Z" + "object_ref": "course-of-action--62db2068-1210-4cd1-bc42-e28b7cdbda37", + "object_modified": "2024-05-15T03:39:59.247322Z" }, { - "object_ref": "relationship--90cda620-d637-4dcd-b94a-59a88e04176c", - "object_modified": "2024-05-08T15:23:01.191413Z" + "object_ref": "relationship--d659f796-5c05-4a27-bcc2-5c6d50432426", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", - "object_modified": "2024-05-08T15:23:01.193294Z" + "object_ref": "course-of-action--6b136b68-ed6a-4bdf-8ffa-41250217a51e", + "object_modified": "2024-05-15T03:39:59.282192Z" }, { - "object_ref": "relationship--e2fdd0ef-6d58-4750-bee9-80f39d8694e1", - "object_modified": "2024-05-08T15:23:01.193396Z" + "object_ref": "relationship--6af7db4e-8947-4b07-ae06-103fa2ac6d13", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", - "object_modified": "2024-05-08T15:23:01.195159Z" + "object_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "object_modified": "2024-05-15T03:39:59.304208Z" }, { - "object_ref": "relationship--1750efbb-f8a6-4f36-8a46-5bec00eaed67", - "object_modified": "2024-05-08T15:23:01.195258Z" + "object_ref": "relationship--896b6a49-29b4-4739-ad32-42e4bb6ebd77", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "object_modified": "2024-05-08T15:23:01.19739Z" + "object_ref": "relationship--e79f61d1-33db-4367-920f-64ce52f833bd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--306fd68f-9390-428f-a706-b94fec13a935", - "object_modified": "2024-05-08T15:23:01.197569Z" + "object_ref": "relationship--914fa74c-4dc2-464c-8f4b-279df31b7561", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b5bab9ed-13d4-4f25-947d-3b5055fef187", - "object_modified": "2024-05-08T15:23:01.197647Z" + "object_ref": "course-of-action--e1cf56ed-8efd-4215-b712-175bb68464a5", + "object_modified": "2024-05-15T03:39:59.353263Z" }, { - "object_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "object_modified": "2024-05-08T15:23:01.2003Z" + "object_ref": "relationship--fa1575b5-dbe2-492d-ae88-635e4372ee0b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--12817f60-cc8e-4dc0-978f-982a926c7884", - "object_modified": "2024-05-08T15:23:01.200411Z" + "object_ref": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "object_modified": "2024-05-15T03:39:59.38109Z" }, { - "object_ref": "relationship--3a5fbb4b-37c9-4241-95e6-e5bfcbd1d237", - "object_modified": "2024-05-08T15:23:01.200497Z" + "object_ref": "relationship--b26b02dc-4166-400c-acb4-cd097a5daf22", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c8de37c6-deea-416e-a650-3109ca91b365", - "object_modified": "2024-05-08T15:23:01.200566Z" + "object_ref": "relationship--cee479ef-ee2a-418b-91f3-6c3919c42442", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", - "object_modified": "2024-05-08T15:23:01.203334Z" + "object_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", + "object_modified": "2024-05-15T03:39:59.428902Z" }, { - "object_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "object_modified": "2024-05-08T15:23:01.205914Z" + "object_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "object_modified": "2024-05-15T03:39:59.440682Z" }, { - "object_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "object_modified": "2024-05-08T15:23:01.209235Z" + "object_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "object_modified": "2024-05-15T03:39:59.446895Z" }, { - "object_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", - "object_modified": "2024-05-08T15:23:01.213865Z" + "object_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", + "object_modified": "2024-05-15T03:39:59.454552Z" }, { - "object_ref": "relationship--7de0fd47-0ec4-4a60-b21c-2b045b090aae", - "object_modified": "2024-05-08T15:23:01.213976Z" + "object_ref": "relationship--b3252ecd-ebb5-497f-a226-1670c2aa4ecd", + "object_modified": "2024-05-15T06:39:59.461896Z" }, { - "object_ref": "relationship--ac2fd283-0d84-47e7-aaad-c507a043680f", - "object_modified": "2024-05-08T15:23:01.214056Z" + "object_ref": "relationship--c791a374-fcd5-445c-8a4d-5fefebfda731", + "object_modified": "2024-05-15T06:39:59.46868Z" }, { - "object_ref": "relationship--55dda607-c695-48bd-85db-ea51a8c375fc", - "object_modified": "2024-05-08T15:23:01.214133Z" + "object_ref": "relationship--06a78821-4833-4c71-a514-2adf1489ab28", + "object_modified": "2024-05-15T06:39:59.476039Z" }, { - "object_ref": "relationship--9b510739-699f-483e-8e27-bad3a4cc8bd4", - "object_modified": "2024-05-08T15:23:01.214208Z" + "object_ref": "relationship--6048772c-aa83-4a31-8542-ee56de8e75f5", + "object_modified": "2024-05-15T06:39:59.48429Z" }, { - "object_ref": "relationship--a908c426-cab6-4007-8f8b-2ae3b3dbe354", - "object_modified": "2024-05-08T15:23:01.214286Z" + "object_ref": "relationship--030c2e1b-fded-490b-9840-70eb558223d8", + "object_modified": "2024-05-15T06:39:59.494961Z" }, { - "object_ref": "relationship--9b0ae1d0-00ca-49a6-b481-476afd6db243", - "object_modified": "2024-05-08T15:23:01.214357Z" + "object_ref": "relationship--f0817eb5-ce3c-473b-ac87-594a5fbfcb1d", + "object_modified": "2024-05-15T06:39:59.515286Z" }, { - "object_ref": "relationship--42002b19-6fc5-4840-938a-b41d353a58f1", - "object_modified": "2024-05-08T15:23:01.214427Z" + "object_ref": "relationship--cbfcf7ba-157c-46ad-ab5e-9995a1d17b14", + "object_modified": "2024-05-15T06:39:59.530528Z" }, { - "object_ref": "relationship--160b7870-ff6f-447e-aae6-ad7257da8dad", - "object_modified": "2024-05-08T15:23:01.214493Z" + "object_ref": "relationship--3c94248c-554b-4f5e-93f3-be239aa80704", + "object_modified": "2024-05-15T06:39:59.545531Z" }, { - "object_ref": "relationship--c31e800b-e36d-4af6-9eba-6774f2897d89", - "object_modified": "2024-05-08T15:23:01.214558Z" + "object_ref": "relationship--ba036427-b112-443e-922a-6effa4289fe2", + "object_modified": "2024-05-15T06:39:59.563876Z" }, { - "object_ref": "relationship--6a42219b-bcad-4d32-b411-86048a089879", - "object_modified": "2024-05-08T15:23:01.214624Z" + "object_ref": "relationship--a2938105-842b-4b9a-9bf3-0c0f9be5dc87", + "object_modified": "2024-05-15T06:39:59.580383Z" }, { - "object_ref": "relationship--76b13565-9280-4a9b-8b56-a00418f65956", - "object_modified": "2024-05-08T15:23:01.214694Z" + "object_ref": "relationship--c8b8a32d-261e-4cf8-89dd-c0f6e014ad7b", + "object_modified": "2024-05-15T06:39:59.595791Z" }, { - "object_ref": "relationship--3d8ed52f-5a1b-4bdb-8bae-7c7b5929053a", - "object_modified": "2024-05-08T15:23:01.21476Z" + "object_ref": "relationship--bd2b09b1-64d3-4e6f-a770-2c1c3e095d96", + "object_modified": "2024-05-15T06:39:59.610252Z" }, { - "object_ref": "relationship--0470cfde-1acd-4e6d-965b-c2ffe549a10a", - "object_modified": "2024-05-08T15:23:01.214825Z" + "object_ref": "relationship--23af8533-2bc7-4aae-9467-c849f78471af", + "object_modified": "2024-05-15T06:39:59.625021Z" }, { - "object_ref": "relationship--eae9cf0e-57b7-421c-86e7-d65c10164263", - "object_modified": "2024-05-08T15:23:01.21489Z" + "object_ref": "relationship--f05d85e0-511e-4d7a-871d-a2273387d507", + "object_modified": "2024-05-15T06:39:59.640515Z" }, { - "object_ref": "relationship--1bdee8d7-0eaf-40d6-947e-5919479b6c7c", - "object_modified": "2024-05-08T15:23:01.21497Z" + "object_ref": "relationship--4489deb5-c276-47fe-93da-d8c7c8721356", + "object_modified": "2024-05-15T06:39:59.664789Z" }, { - "object_ref": "relationship--b831d0d0-4da9-4b3e-98c7-702ef5c75a1b", - "object_modified": "2024-05-08T15:23:01.215036Z" + "object_ref": "relationship--00b767d4-2c9d-44c0-952c-681b46ac85e8", + "object_modified": "2024-05-15T06:39:59.679244Z" }, { - "object_ref": "relationship--412ded4c-b83f-49ee-b96c-f69ec33e4ee7", - "object_modified": "2024-05-08T15:23:01.2151Z" + "object_ref": "relationship--a4e8ee97-41c6-49e0-a618-7df4952ff2ad", + "object_modified": "2024-05-15T06:39:59.694091Z" }, { - "object_ref": "relationship--9b0921fc-31ec-4d29-aa8c-ba904c354e31", - "object_modified": "2024-05-08T15:23:01.215168Z" + "object_ref": "relationship--c85ccad8-6ab3-4025-ac93-c3f5139205cc", + "object_modified": "2024-05-15T06:39:59.708321Z" }, { - "object_ref": "relationship--8f545287-e6e8-4020-ba06-ef2a8fe49adf", - "object_modified": "2024-05-08T15:23:01.215232Z" + "object_ref": "relationship--cfd232d4-5096-4e74-8013-18bf73d99ed7", + "object_modified": "2024-05-15T06:39:59.722539Z" }, { - "object_ref": "x-mitre-matrix--11ac2cbb-ba21-4607-a2e4-16c89a0b09a5", - "object_modified": "2024-05-08T18:23:01.229Z" + "object_ref": "x-mitre-matrix--18d00d07-3f91-46dd-a2f3-f0f1cb83b13c", + "object_modified": "2024-05-15T06:39:59.735Z" }, { "object_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", @@ -1027,28 +1027,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2023-01-23T19:22:40.000Z", - "name": "Access cloud resources", - "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", + "created": "2022-10-02T18:11:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Container service account", + "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", - "external_id": "MS-TA9020" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", + "external_id": "MS-TA9016" } ], "x_mitre_domains": [ @@ -1056,7 +1060,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.004" + "T1528" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1067,24 +1071,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Bash or cmd inside container", - "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", + "name": "Clear container logs", + "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", - "external_id": "MS-TA9007" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", + "external_id": "MS-TA9021" } ], "x_mitre_domains": [ @@ -1092,7 +1096,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1059" + "T1070" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1103,24 +1107,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Cluster-admin binding", - "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Data destruction", + "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", - "external_id": "MS-TA9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", + "external_id": "MS-TA9038" } ], "x_mitre_domains": [ @@ -1128,7 +1132,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.003" + "T1485" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1139,24 +1143,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Privileged container", - "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "CoreDNS poisoning", + "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", - "external_id": "MS-TA9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", + "external_id": "MS-TA9035" } ], "x_mitre_domains": [ @@ -1164,7 +1168,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1175,24 +1179,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Kubernetes API server", - "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Backdoor container", + "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", - "external_id": "MS-TA9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", + "external_id": "MS-TA9012" } ], "x_mitre_domains": [ @@ -1200,7 +1204,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1543" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1211,28 +1215,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application credentials in configuration files", - "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "name": "Pod or container name similarity", + "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", - "external_id": "MS-TA9027" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", + "external_id": "MS-TA9023" } ], "x_mitre_domains": [ @@ -1240,7 +1240,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552" + "T1036.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1251,24 +1251,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Data destruction", - "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", + "name": "Access Managed Identity credentials", + "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "impact" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", - "external_id": "MS-TA9038" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", + "external_id": "MS-TA9028" } ], "x_mitre_domains": [ @@ -1276,7 +1276,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1485" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1320,24 +1320,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Denial of service", - "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Access Kubelet API", + "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "impact" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", - "external_id": "MS-TA9040" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", + "external_id": "MS-TA9030" } ], "x_mitre_domains": [ @@ -1345,8 +1345,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1498", - "T1499" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1357,24 +1356,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Clear container logs", - "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", + "name": "Images from a private registry", + "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", - "external_id": "MS-TA9021" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", + "external_id": "MS-TA9037" } ], "x_mitre_domains": [ @@ -1382,7 +1381,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1530" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1393,60 +1392,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "Sidecar injection", - "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", + "name": "Writable hostPath mount", + "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "external_references": [ + "phase_name": "persistence" + }, { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", - "external_id": "MS-TA9011" - } - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1610" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Kubernetes" - ], - "x_mitre_version": "1.0" - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Managed Identity credentials", - "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", - "kill_chain_phases": [ + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", - "external_id": "MS-TA9028" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", + "external_id": "MS-TA9013" } ], "x_mitre_domains": [ @@ -1454,7 +1425,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1611" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1501,30 +1472,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "SSH server running inside container", - "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", + "name": "Using cloud credentials", + "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", - "external_id": "MS-TA9010" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", + "external_id": "MS-TA9001" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1078.004" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -1534,24 +1508,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "New container", - "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", + "name": "Mount service principal", + "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", - "external_id": "MS-TA9008" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", + "external_id": "MS-TA9026" } ], "x_mitre_domains": [ @@ -1559,7 +1533,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1552.001" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1570,28 +1544,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-31T06:43:11.000Z", - "name": "Exposed sensitive interfaces", - "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", + "modified": "2023-01-23T19:22:40.000Z", + "name": "Access cloud resources", + "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", - "external_id": "MS-TA9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", + "external_id": "MS-TA9020" } ], "x_mitre_domains": [ @@ -1599,7 +1573,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1133" + "T1078.004" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1610,24 +1584,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Delete Kubernetes events", - "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", + "name": "Access Kubernetes API server", + "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", - "external_id": "MS-TA9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", + "external_id": "MS-TA9029" } ], "x_mitre_domains": [ @@ -1635,7 +1609,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1646,32 +1620,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Writable hostPath mount", - "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", + "modified": "2022-10-31T06:43:11.000Z", + "name": "Exposed sensitive interfaces", + "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" + "phase_name": "initial-access" }, { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", - "external_id": "MS-TA9013" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", + "external_id": "MS-TA9005" } ], "x_mitre_domains": [ @@ -1679,7 +1649,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1611" + "T1133" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1690,24 +1660,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Mount service principal", - "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Resource hijacking", + "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", - "external_id": "MS-TA9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", + "external_id": "MS-TA9039" } ], "x_mitre_domains": [ @@ -1715,7 +1685,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.001" + "T1496" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1726,24 +1696,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application exploit (RCE)", - "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "List Kubernetes secrets", + "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", - "external_id": "MS-TA9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", + "external_id": "MS-TA9025" } ], "x_mitre_domains": [ @@ -1751,7 +1721,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1190" + "T1552.007" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1762,13 +1732,17 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "List Kubernetes secrets", - "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", + "name": "Malicious admission controller", + "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" @@ -1778,8 +1752,8 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", - "external_id": "MS-TA9025" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", + "external_id": "MS-TA9015" } ], "x_mitre_domains": [ @@ -1787,7 +1761,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.007" + "T1546" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1798,24 +1772,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "ARP poisoning and IP spoofing", - "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Connect from proxy server", + "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", - "external_id": "MS-TA9036" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", + "external_id": "MS-TA9024" } ], "x_mitre_domains": [ @@ -1823,7 +1797,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1090" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1834,24 +1808,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Access Kubelet API", - "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Compromised image In registry", + "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", - "external_id": "MS-TA9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", + "external_id": "MS-TA9002" } ], "x_mitre_domains": [ @@ -1859,7 +1833,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1195.002", + "T1525" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1870,24 +1845,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Kubeconfig file", - "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "SSH server running inside container", + "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", - "external_id": "MS-TA9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", + "external_id": "MS-TA9010" } ], "x_mitre_domains": [ @@ -1903,32 +1878,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T18:11:12.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Container service account", - "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Privileged container", + "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", - "external_id": "MS-TA9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", + "external_id": "MS-TA9018" } ], "x_mitre_domains": [ @@ -1936,7 +1903,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1528" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1947,24 +1914,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Exec into container", - "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Cluster-admin binding", + "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "execution" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", - "external_id": "MS-TA9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", + "external_id": "MS-TA9019" } ], "x_mitre_domains": [ @@ -1972,7 +1939,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1609" + "T1078.003" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1983,24 +1950,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Network mapping", - "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "New container", + "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", - "external_id": "MS-TA9031" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", + "external_id": "MS-TA9008" } ], "x_mitre_domains": [ @@ -2008,7 +1975,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1046" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2019,24 +1986,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Instance Metadata API", - "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Cluster internal networking", + "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", - "external_id": "MS-TA9033" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", + "external_id": "MS-TA9034" } ], "x_mitre_domains": [ @@ -2044,7 +2011,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1210" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2055,33 +2022,30 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", + "created": "2022-10-03T08:10:16.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Resource hijacking", - "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", + "name": "Static pods", + "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "impact" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", - "external_id": "MS-TA9039" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", + "external_id": "MS-TA9017" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1496" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2091,24 +2055,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Compromised image In registry", - "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Instance Metadata API", + "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", - "external_id": "MS-TA9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", + "external_id": "MS-TA9033" } ], "x_mitre_domains": [ @@ -2116,8 +2080,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1195.002", - "T1525" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2128,12 +2091,12 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Using cloud credentials", - "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Kubeconfig file", + "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", @@ -2144,17 +2107,14 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", - "external_id": "MS-TA9001" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", + "external_id": "MS-TA9003" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1078.004" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2164,30 +2124,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-03T08:10:16.000Z", + "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Static pods", - "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", + "name": "Delete Kubernetes events", + "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", - "external_id": "MS-TA9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", + "external_id": "MS-TA9022" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1070" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2197,24 +2160,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "CoreDNS poisoning", - "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Network mapping", + "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", - "external_id": "MS-TA9035" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", + "external_id": "MS-TA9031" } ], "x_mitre_domains": [ @@ -2222,7 +2185,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1046" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2233,24 +2196,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Pod or container name similarity", - "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Sidecar injection", + "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", - "external_id": "MS-TA9023" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", + "external_id": "MS-TA9011" } ], "x_mitre_domains": [ @@ -2258,7 +2221,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1036.005" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2269,24 +2232,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Connect from proxy server", - "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "ARP poisoning and IP spoofing", + "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", - "external_id": "MS-TA9024" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", + "external_id": "MS-TA9036" } ], "x_mitre_domains": [ @@ -2294,7 +2257,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1090" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2305,28 +2268,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Malicious admission controller", - "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", + "name": "Application vulnerability", + "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", - "external_id": "MS-TA9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", + "external_id": "MS-TA9004" } ], "x_mitre_domains": [ @@ -2334,7 +2293,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1546" + "T1190" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2345,24 +2304,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application vulnerability", - "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "Application exploit (RCE)", + "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", - "external_id": "MS-TA9004" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", + "external_id": "MS-TA9009" } ], "x_mitre_domains": [ @@ -2381,24 +2340,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Cluster internal networking", - "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", + "name": "Exec into container", + "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", - "external_id": "MS-TA9034" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", + "external_id": "MS-TA9006" } ], "x_mitre_domains": [ @@ -2406,7 +2365,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1210" + "T1609" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2417,24 +2376,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Backdoor container", - "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Bash or cmd inside container", + "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", - "external_id": "MS-TA9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", + "external_id": "MS-TA9007" } ], "x_mitre_domains": [ @@ -2442,7 +2401,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1543" + "T1059" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2453,24 +2412,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Images from a private registry", - "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", + "name": "Denial of service", + "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "collection" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", - "external_id": "MS-TA9037" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", + "external_id": "MS-TA9040" } ], "x_mitre_domains": [ @@ -2478,7 +2437,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1530" + "T1498", + "T1499" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2487,100 +2447,72 @@ "x_mitre_version": "1.0" }, { - "type": "course-of-action", + "type": "attack-pattern", "spec_version": "2.1", - "id": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", - "created": "2024-05-08T15:23:01.114222Z", - "modified": "2024-05-08T15:23:01.114222Z", - "name": "Restrict the usage of unauthenticated APIs in the cluster", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", - "external_references": [ + "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Application credentials in configuration files", + "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "kill_chain_phases": [ { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", - "external_id": "MS-M9021" + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--d1675c61-27a2-46f1-b9b9-3da8f9fa7b9f", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.115245Z", - "modified": "2024-05-08T15:23:01.115245Z", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", - "relationship_type": "mitigates", - "source_ref": "course-of-action--eed35bd4-2d5d-4da3-8040-699606665dd9", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "enterprise-attack" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", - "created": "2024-05-08T15:23:01.117049Z", - "modified": "2024-05-08T15:23:01.117049Z", - "name": "Use CNIs that are not prone to ARP poisoning", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", + "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", - "external_id": "MS-M9028" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", + "external_id": "MS-TA9027" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--5b574b6b-a4d0-47e8-8d83-b001e9633fcc", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.117155Z", - "modified": "2024-05-08T15:23:01.117155Z", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", - "relationship_type": "mitigates", - "source_ref": "course-of-action--715b7490-951c-4873-beb8-ec514095a186", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "x_mitre_attack_spec_version": "2.1.0", + ], "x_mitre_domains": [ "enterprise-attack" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1552" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Kubernetes" + ], + "x_mitre_version": "1.0" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "created": "2024-05-08T15:23:01.119287Z", - "modified": "2024-05-08T15:23:01.119287Z", - "name": "Allocate specific identities to pods", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", + "id": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "created": "2024-05-15T03:39:57.825656Z", + "modified": "2024-05-15T03:39:57.825656Z", + "name": "Ensure that pods meet defined Pod Security Standards", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", - "external_id": "MS-M9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", + "external_id": "MS-M9017" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--6a676866-90b9-4ac9-81d8-f4fa5b86e958", + "id": "relationship--47e902dc-d050-4ac0-8ff6-d601c75392c2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.119394Z", - "modified": "2024-05-08T15:23:01.119394Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2591,14 +2523,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--76657bf1-fa01-4bbc-b869-7fc16c2d8322", + "id": "relationship--3972ebaf-03b8-42b0-81c7-bdf7fb29c0bb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.119485Z", - "modified": "2024-05-08T15:23:01.119485Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--1ba7caaa-eb4d-4db9-9552-96712fa207ed", - "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", + "source_ref": "course-of-action--d18089f6-e0e9-44f0-b4b7-ddbac88bdf42", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2609,30 +2541,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", - "created": "2024-05-08T15:23:01.121311Z", - "modified": "2024-05-08T15:23:01.121311Z", - "name": "Avoid using plain text credentials", - "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "id": "course-of-action--be336cd0-0144-4b41-bb84-5ac767fc4e3a", + "created": "2024-05-15T03:39:57.842372Z", + "modified": "2024-05-15T03:39:57.842372Z", + "name": "Implement data backup strategy", + "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", - "external_id": "MS-M9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", + "external_id": "MS-M9031" } + ], + "x_mitre_ids": [ + "M1053" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5ad126e4-a6cb-462b-8e7c-33d99a40f953", + "id": "relationship--88363a55-a2fd-43fa-92ba-a7f59d890383", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.121429Z", - "modified": "2024-05-08T15:23:01.121429Z", - "description": "Avoid using plain text credentials in configuration files", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Take and store data backups from pod mounted volumes for critical workloads", "relationship_type": "mitigates", - "source_ref": "course-of-action--7206f8b8-f7a9-426b-98b0-d6eb177ba6ab", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--be336cd0-0144-4b41-bb84-5ac767fc4e3a", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2643,30 +2578,48 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", - "created": "2024-05-08T15:23:01.123399Z", - "modified": "2024-05-08T15:23:01.123399Z", - "name": "Enable Just In Time access to API server", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "id": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "created": "2024-05-15T03:39:57.857619Z", + "modified": "2024-05-15T03:39:57.857619Z", + "name": "Restrict exec commands on pods", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", - "external_id": "MS-M9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", + "external_id": "MS-M9010" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3e13da7d-4529-42be-832e-5aec578dbd65", + "id": "relationship--2b560cb5-3d21-4600-8190-039c71ab48cd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.1235Z", - "modified": "2024-05-08T15:23:01.1235Z", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--6e041ffe-db6b-446c-8375-11f0dcaa08ef", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--2302f090-74f9-4954-ae00-bff492115838", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a337cb5-9810-4fde-b26c-e0b6e47424e7", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2677,9 +2630,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", - "created": "2024-05-08T15:23:01.125419Z", - "modified": "2024-05-08T15:23:01.125419Z", + "id": "course-of-action--f7e1a334-e6b4-4304-810c-2e86945b3a86", + "created": "2024-05-15T03:39:57.878398Z", + "modified": "2024-05-15T03:39:57.878398Z", "name": "Restrict access to etcd", "description": "Access to etcd should be limited to the Kubernetes control plane only. Depending on your configuration, you should attempt to use etcd over TLS. This mitigation is relevant only to non-managed Kubernetes environment, as access to etcd in cloud managed clusters is already restricted.", "external_references": [ @@ -2696,13 +2649,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--51444f68-fe63-4319-bbcc-2c09a5c9a834", + "id": "relationship--c7a61598-c44a-43f1-bbdc-dc7977468cd9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.125521Z", - "modified": "2024-05-08T15:23:01.125521Z", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Access to etcd should be limited to the Kubernetes control plane only", "relationship_type": "mitigates", - "source_ref": "course-of-action--0223c63f-3d6c-4bf7-abc2-9d4239e49cd0", + "source_ref": "course-of-action--f7e1a334-e6b4-4304-810c-2e86945b3a86", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2714,48 +2667,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "created": "2024-05-08T15:23:01.127841Z", - "modified": "2024-05-08T15:23:01.127841Z", - "name": "Ensure that pods meet defined Pod Security Standards", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", + "id": "course-of-action--df4e2e90-5dc4-42c3-99a7-670f85d8bf9b", + "created": "2024-05-15T03:39:57.888875Z", + "modified": "2024-05-15T03:39:57.888875Z", + "name": "Use CNIs that are not prone to ARP poisoning", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", - "external_id": "MS-M9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", + "external_id": "MS-M9028" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3a7acb8c-842c-4448-9109-4fd286ba7bd4", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.127938Z", - "modified": "2024-05-08T15:23:01.127938Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", - "relationship_type": "mitigates", - "source_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--26d9ed03-0515-4527-9566-60c3a63bf48e", + "id": "relationship--d3a24ed6-a20a-427a-8728-747a9e9cc251", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.128015Z", - "modified": "2024-05-08T15:23:01.128015Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-25T08:08:39.000Z", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", "relationship_type": "mitigates", - "source_ref": "course-of-action--7689d229-1186-4094-ad2c-a91e26a06dd7", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--df4e2e90-5dc4-42c3-99a7-670f85d8bf9b", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2766,32 +2701,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "created": "2024-05-08T15:23:01.13165Z", - "modified": "2024-05-08T15:23:01.13165Z", - "name": "Restricting cloud metadata API access", - "description": "", + "id": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", + "created": "2024-05-15T03:39:57.901088Z", + "modified": "2024-05-15T03:39:57.901088Z", + "name": "Allocate specific identities to pods", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", - "external_id": "MS-M9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", + "external_id": "MS-M9019" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9cfd33ce-2528-4e82-ab8a-df5174f05c32", + "id": "relationship--668359c0-229e-4837-8c37-3d08488c88bb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.131768Z", - "modified": "2024-05-08T15:23:01.131768Z", - "description": "", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", + "source_ref": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2803,13 +2735,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--61c3b504-1806-4a67-af11-164a1c904f37", + "id": "relationship--8b302aa6-00b1-4fed-88a8-0f740277d6a6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.131862Z", - "modified": "2024-05-08T15:23:01.131862Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", + "source_ref": "course-of-action--9cfb811a-846e-497c-bfac-e77693f6abf5", "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2818,17 +2750,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--d6506d30-d93b-4adb-aaa5-dc101f76c185", + "created": "2024-05-15T03:39:57.937564Z", + "modified": "2024-05-15T03:39:57.937564Z", + "name": "Use NodeRestriction admission controller", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", + "external_id": "MS-M9027" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--30b19dd5-db4d-4c84-8256-c658bce46c93", + "id": "relationship--b2cac5d0-9da1-4590-a36a-9f4df984adb0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.131933Z", - "modified": "2024-05-08T15:23:01.131933Z", - "description": "", - "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", + "relationship_type": "mitigates", + "source_ref": "course-of-action--d6506d30-d93b-4adb-aaa5-dc101f76c185", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2836,17 +2784,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--5e4fd4f0-94d4-47f7-a357-46f448722eaf", + "created": "2024-05-15T03:39:57.960968Z", + "modified": "2024-05-15T03:39:57.960968Z", + "name": "Network intrusion prevention", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", + "external_id": "MS-M9007" + } + ], + "x_mitre_ids": [ + "M1031" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--65208f94-dbff-4d67-9543-a49c72327f9a", + "id": "relationship--441effaa-fc37-4d35-a302-7dc72079b3f6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.132001Z", - "modified": "2024-05-08T15:23:01.132001Z", - "description": "", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--11c6d64e-5d90-4529-94be-cc473c37f9a5", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--5e4fd4f0-94d4-47f7-a357-46f448722eaf", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2857,33 +2824,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "created": "2024-05-08T15:23:01.142495Z", - "modified": "2024-05-08T15:23:01.142495Z", - "name": "Adhere to least-privilege principle", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "id": "course-of-action--fc86c66d-312b-40d2-a364-63e5c9730217", + "created": "2024-05-15T03:39:57.977696Z", + "modified": "2024-05-15T03:39:57.977696Z", + "name": "Disable service account auto mount", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", - "external_id": "MS-M9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", + "external_id": "MS-M9025" } - ], - "x_mitre_ids": [ - "M1018" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--19f8e6fe-02ed-4095-91a6-92e18df62fe4", + "id": "relationship--1621a410-66d0-47b3-a2e6-f1ac69d2e400", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142614Z", - "modified": "2024-05-08T15:23:01.142614Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--fc86c66d-312b-40d2-a364-63e5c9730217", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2891,16 +2855,32 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--6ec9004b-0179-4fc8-8fe4-1f43cfdd6d2b", + "created": "2024-05-15T03:39:57.99612Z", + "modified": "2024-05-15T03:39:57.99612Z", + "name": "Enable Just In Time access to API server", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", + "external_id": "MS-M9006" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--46c56f83-318c-4e97-b46c-9f3ae3b081fc", + "id": "relationship--82fef1ca-0515-4996-89d5-92c7eddb27a7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142694Z", - "modified": "2024-05-08T15:23:01.142694Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-27T17:00:14.000Z", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--6ec9004b-0179-4fc8-8fe4-1f43cfdd6d2b", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2909,16 +2889,35 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "created": "2024-05-15T03:39:58.025891Z", + "modified": "2024-05-15T03:39:58.025891Z", + "name": "Restrict over permissive containers", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", + "external_id": "MS-M9013" + } + ], + "x_mitre_ids": [ + "M1038" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--059abccd-2bb9-4c26-a720-e2b70fec315c", + "id": "relationship--e78b1260-67c2-4dba-9811-5671ecc86d4e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142766Z", - "modified": "2024-05-08T15:23:01.142766Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2930,13 +2929,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c25563e5-df67-4eb9-a38e-10cf72433219", + "id": "relationship--b7c28d09-b3e4-4ebf-9e30-dd341254a9bc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142835Z", - "modified": "2024-05-08T15:23:01.142835Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2948,13 +2947,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--56609145-4706-4903-ba25-be7065847487", + "id": "relationship--47c55680-5536-46c0-93e2-7ba43eb9e776", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.142902Z", - "modified": "2024-05-08T15:23:01.142902Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2966,14 +2965,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--690fcf22-446b-4d66-a392-62b7cb419180", + "id": "relationship--b380fad0-5d5e-4390-ad96-97a5ac1203cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14297Z", - "modified": "2024-05-08T15:23:01.14297Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -2984,14 +2983,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5cf19607-dffe-4d65-a952-5b76d622c8d8", + "id": "relationship--2f8329ae-7964-4398-b2fe-47ae58c8994b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143036Z", - "modified": "2024-05-08T15:23:01.143036Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3002,14 +3001,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--27423ae4-5d67-41d1-b053-4ff9b63c1eb5", + "id": "relationship--445c9b62-f257-4485-baed-1a57de978d8e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143104Z", - "modified": "2024-05-08T15:23:01.143104Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3020,13 +3019,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4ba58c15-4a2d-47e7-9148-bbbd0ac1ee71", + "id": "relationship--60b78705-22c4-4c7f-8e76-e91f04453866", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14317Z", - "modified": "2024-05-08T15:23:01.14317Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3038,14 +3037,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3fcf3afc-7c69-4425-9015-53926bf23f35", + "id": "relationship--0f8c253f-8051-4d59-b491-6c662b10d7df", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143235Z", - "modified": "2024-05-08T15:23:01.143235Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3056,14 +3055,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b59f314e-f494-4ca6-9f68-403893c8ad81", + "id": "relationship--fbd533ab-0bd9-4325-bfcc-d83d673db51d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14331Z", - "modified": "2024-05-08T15:23:01.14331Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--5c19083a-5a56-44c4-8cbb-ec13e8470a1f", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3071,17 +3070,37 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "created": "2024-05-15T03:39:58.170667Z", + "modified": "2024-05-15T03:39:58.170667Z", + "name": "Restrict container runtime using LSM", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", + "external_id": "MS-M9011" + } + ], + "x_mitre_ids": [ + "M1038", + "M1040" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5d41b5c6-291f-4418-9033-062d980536f2", + "id": "relationship--7453d151-70fa-441e-8832-94fd974fd186", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143382Z", - "modified": "2024-05-08T15:23:01.143382Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3092,14 +3111,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--aef66010-24c9-469d-9e61-8fd1e364cbef", + "id": "relationship--6a6c93d0-188f-4119-ab20-91b17bdf32f3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143456Z", - "modified": "2024-05-08T15:23:01.143456Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3110,14 +3129,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--621981c6-f3b5-4e15-acd8-544647a7e4a9", + "id": "relationship--436ea5cb-3d1b-44fc-bb05-d996cf30808a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143522Z", - "modified": "2024-05-08T15:23:01.143522Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3128,14 +3147,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1be627dd-375b-4c63-b321-a7e84c8c4a6f", + "id": "relationship--823d7851-b594-47d3-97ed-a9c568978f7b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143588Z", - "modified": "2024-05-08T15:23:01.143588Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3146,14 +3165,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--30fa1766-baae-4c3a-9257-2eafddc67bf9", + "id": "relationship--6cac8de5-3b27-49a4-8c07-cb2d15647466", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143661Z", - "modified": "2024-05-08T15:23:01.143661Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3164,14 +3183,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--45dec0fe-060f-4283-965a-662f5aad46c6", + "id": "relationship--41040ed7-7abb-4f07-bd4e-042144c5cbfc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143726Z", - "modified": "2024-05-08T15:23:01.143726Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3182,14 +3201,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ae9aef0c-27d9-475e-b7fb-08332ae5b518", + "id": "relationship--82b39550-3b6a-4195-af43-2475c0f99035", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143793Z", - "modified": "2024-05-08T15:23:01.143793Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--3a4e2340-96db-4bbe-9367-19bdb6c1721d", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3197,17 +3216,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--f112a1ed-8a40-4df5-9315-ecebbc4d886f", + "created": "2024-05-15T03:39:58.266117Z", + "modified": "2024-05-15T03:39:58.266117Z", + "name": "Restrict the usage of unauthenticated APIs in the cluster", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", + "external_id": "MS-M9021" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7a103bef-f288-4179-860b-39e0f3a95609", + "id": "relationship--125fd123-9f94-4bed-9ff1-a4cc5ae59c1d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.143859Z", - "modified": "2024-05-08T15:23:01.143859Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", "relationship_type": "mitigates", - "source_ref": "course-of-action--4ec08d69-7729-4cc1-a5eb-765326d3e365", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--f112a1ed-8a40-4df5-9315-ecebbc4d886f", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3218,33 +3253,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "created": "2024-05-08T15:23:01.147505Z", - "modified": "2024-05-08T15:23:01.147505Z", - "name": "Network segmentation", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", + "id": "course-of-action--a247c53d-e7a6-4d80-aa48-6fe42967652c", + "created": "2024-05-15T03:39:58.279406Z", + "modified": "2024-05-15T03:39:58.279406Z", + "name": "Avoid running management interface on containers", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", - "external_id": "MS-M9014" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", + "external_id": "MS-M9015" } ], "x_mitre_ids": [ - "M1030" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f8a571d5-ea3d-496e-8943-bcfc0103b575", + "id": "relationship--b9f4b92e-b977-4971-a42d-84dd123d2f73", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.14761Z", - "modified": "2024-05-08T15:23:01.14761Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--a247c53d-e7a6-4d80-aa48-6fe42967652c", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3252,17 +3287,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--1dced729-7647-4645-bc44-44a8e0ec09c6", + "created": "2024-05-15T03:39:58.290604Z", + "modified": "2024-05-15T03:39:58.290604Z", + "name": "Avoid using plain text credentials", + "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", + "external_id": "MS-M9026" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a73b5a9d-acd5-4fea-a45c-482f2a7631bf", + "id": "relationship--feee0640-5a1c-4b1a-aee7-8ecf910ffa54", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147691Z", - "modified": "2024-05-08T15:23:01.147691Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid using plain text credentials in configuration files", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--1dced729-7647-4645-bc44-44a8e0ec09c6", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3270,17 +3321,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--47f9cbda-6403-4d2b-9b59-6a992d1f5980", + "created": "2024-05-15T03:39:58.300022Z", + "modified": "2024-05-15T03:39:58.300022Z", + "name": "Limit access to services over network", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", + "external_id": "MS-M9008" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--41d76943-df71-46e1-af89-a256a85aa9aa", + "id": "relationship--d2069d2d-a20a-4b3e-a027-acd5908ae5e8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147761Z", - "modified": "2024-05-08T15:23:01.147761Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--47f9cbda-6403-4d2b-9b59-6a992d1f5980", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3288,17 +3358,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "created": "2024-05-15T03:39:58.31433Z", + "modified": "2024-05-15T03:39:58.31433Z", + "name": "Collect logs to remote data storage", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", + "external_id": "MS-M9020" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c96c9e19-f90b-467b-9acd-257e04ae50a7", + "id": "relationship--514630be-e767-4d04-9498-748c96fed3fd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147831Z", - "modified": "2024-05-08T15:23:01.147831Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3309,14 +3398,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--172f7807-6ce2-4b72-839f-c09169437aa3", + "id": "relationship--d92430ae-9da0-403a-a71c-e4c9ab7bcb79", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147905Z", - "modified": "2024-05-08T15:23:01.147905Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "source_ref": "course-of-action--9f619244-0b94-4acb-9b2a-f2f114255201", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3324,17 +3413,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "created": "2024-05-15T03:39:58.351488Z", + "modified": "2024-05-15T03:39:58.351488Z", + "name": "Restricting cloud metadata API access", + "description": "", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", + "external_id": "MS-M9018" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--88b9667b-ed8a-4390-b442-38f6034f65fe", + "id": "relationship--21c72327-1686-4bb2-aafa-29fc826de0f4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.147977Z", - "modified": "2024-05-08T15:23:01.147977Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3345,14 +3453,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--932c3ddb-6fbf-4877-b681-6fa637df55d8", + "id": "relationship--4d297883-fc17-426c-8501-949f04b4b670", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.148044Z", - "modified": "2024-05-08T15:23:01.148044Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--039de484-f916-4083-9040-0faae6d7e66e", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3360,37 +3468,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "created": "2024-05-08T15:23:01.151887Z", - "modified": "2024-05-08T15:23:01.151887Z", - "name": "Restrict container runtime using LSM", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", - "external_id": "MS-M9011" - } - ], - "x_mitre_ids": [ - "M1038", - "M1040" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ea20a874-c3f9-44cf-929c-61c793cecbfc", + "id": "relationship--7a5e857e-7a4b-4759-a40c-60d29efec3e3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.151995Z", - "modified": "2024-05-08T15:23:01.151995Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3401,14 +3489,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--8797c606-b9ba-4cc3-b00a-80bd84cdebb1", + "id": "relationship--6967d9ed-e1ed-47bf-b3ec-d1f8f81c063d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152075Z", - "modified": "2024-05-08T15:23:01.152075Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--ee1c2574-0cf7-49ac-9eb8-9dca7c3b9b6a", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3416,17 +3504,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "created": "2024-05-15T03:39:58.441929Z", + "modified": "2024-05-15T03:39:58.441929Z", + "name": "Restrict access to the API server using IP firewall", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", + "external_id": "MS-M9002" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--32aa3123-080a-443c-b57e-ffd73a50cdb2", + "id": "relationship--a88aae08-b346-4048-aca7-8f39eff62238", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152147Z", - "modified": "2024-05-08T15:23:01.152147Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3437,14 +3544,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1baaa766-7e3e-4c92-bd54-f16bc55d66a4", + "id": "relationship--db1ed7de-b7b3-49af-8a60-2a218e26257f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152215Z", - "modified": "2024-05-08T15:23:01.152215Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3455,14 +3562,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--02aaeb8c-105c-46bc-9349-5c892629abc5", + "id": "relationship--83652b7a-c311-4c31-80f1-1213523c6be6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152288Z", - "modified": "2024-05-08T15:23:01.152288Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3473,14 +3580,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4ed2fb12-8fd9-49e4-848e-61cc48626c1f", + "id": "relationship--58f37654-7f31-4431-abe2-a2ae532a73db", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152355Z", - "modified": "2024-05-08T15:23:01.152355Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3491,13 +3598,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9ad82aa9-d56b-4a88-8362-fda4c6a2b347", + "id": "relationship--356c0b42-b5b2-471a-8afa-b64d58931f89", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.152422Z", - "modified": "2024-05-08T15:23:01.152422Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--f00abfaf-6044-4c03-a443-48d1579c9a68", + "source_ref": "course-of-action--b21ae259-0569-4d32-8dab-57852c779511", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3509,30 +3616,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", - "created": "2024-05-08T15:23:01.154072Z", - "modified": "2024-05-08T15:23:01.154072Z", - "name": "Set requests and limits for containers", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", + "id": "course-of-action--3829223f-1341-45b8-8b2a-e914b027e677", + "created": "2024-05-15T03:39:58.537002Z", + "modified": "2024-05-15T03:39:58.537002Z", + "name": "Use cloud storage provider", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", - "external_id": "MS-M9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", + "external_id": "MS-M9030" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c2d01ad0-290e-4a89-ae7c-8560e5e0ce6f", + "id": "relationship--cb8676e6-1c28-47f1-bfab-1e3361101981", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.154258Z", - "modified": "2024-05-08T15:23:01.154258Z", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", "relationship_type": "mitigates", - "source_ref": "course-of-action--91d97c14-a002-47d5-8b73-aadd757ed2d1", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--3829223f-1341-45b8-8b2a-e914b027e677", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3543,30 +3650,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "created": "2024-05-08T15:23:01.157008Z", - "modified": "2024-05-08T15:23:01.157008Z", - "name": "Require strong authentication to services", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", + "id": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "created": "2024-05-15T03:39:58.564007Z", + "modified": "2024-05-15T03:39:58.564007Z", + "name": "Restrict file and directory permissions", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", - "external_id": "MS-M9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", + "external_id": "MS-M9016" } + ], + "x_mitre_ids": [ + "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--062c9dc9-2781-4bab-af67-e95556bf14c6", + "id": "relationship--cdde0114-2b9f-4c5b-8780-51dbf7f71135", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.157109Z", - "modified": "2024-05-08T15:23:01.157109Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3577,14 +3687,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--42cedd8a-eaac-4a78-8876-1655bb621c05", + "id": "relationship--79f638dd-87ae-46f4-b151-386bb5c41447", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.157188Z", - "modified": "2024-05-08T15:23:01.157188Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T12:26:46.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3595,14 +3705,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b0490e7e-61ae-45e6-b59a-6aeabd80803f", + "id": "relationship--0bdfc67c-4329-468f-9bbd-6adf54a80fa2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.157259Z", - "modified": "2024-05-08T15:23:01.157259Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--817d514e-58a7-4163-b17b-a465f985291e", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--b6e4e5f7-c8ba-4ee8-96d9-8da03cec0d6e", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3613,33 +3723,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "created": "2024-05-08T15:23:01.159464Z", - "modified": "2024-05-08T15:23:01.159464Z", - "name": "Use managed secret store", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "id": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "created": "2024-05-15T03:39:58.616955Z", + "modified": "2024-05-15T03:39:58.616955Z", + "name": "Remove tools from container images", + "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", - "external_id": "MS-M9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", + "external_id": "MS-M9012" } ], "x_mitre_ids": [ - "M1029" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c3ef337b-3a4a-4309-99f1-6ee18355d712", + "id": "relationship--08b303cc-0d92-495a-acbb-1adc186b05e5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.159564Z", - "modified": "2024-05-08T15:23:01.159564Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3650,14 +3760,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a79d2424-894b-4835-b857-beef9ee7c3ca", + "id": "relationship--5d2dae31-6d25-4949-af0c-9ab2205b6d89", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.159642Z", - "modified": "2024-05-08T15:23:01.159642Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--0260614b-819f-4d36-b407-e580354969ae", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--34edc12a-ddc3-429f-9ea4-4ad37044d8a1", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3668,30 +3778,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", - "created": "2024-05-08T15:23:01.161342Z", - "modified": "2024-05-08T15:23:01.161342Z", - "name": "Use cloud storage provider", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", + "id": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "created": "2024-05-15T03:39:58.665283Z", + "modified": "2024-05-15T03:39:58.665283Z", + "name": "Network segmentation", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", - "external_id": "MS-M9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", + "external_id": "MS-M9014" } + ], + "x_mitre_ids": [ + "M1030" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--522c6538-e8a2-4aa7-922c-56c17e658b03", + "id": "relationship--125dc6ef-4d0c-40ba-85a0-c12181500b21", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.161439Z", - "modified": "2024-05-08T15:23:01.161439Z", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--0ec118e3-21ba-4958-9f5d-f1b6e1f01f45", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3699,36 +3812,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", - "created": "2024-05-08T15:23:01.163165Z", - "modified": "2024-05-08T15:23:01.163165Z", - "name": "Implement data backup strategy", - "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", - "external_id": "MS-M9031" - } - ], - "x_mitre_ids": [ - "M1053" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--adab1f1e-02de-4dc2-9739-fd7ec60bfa44", + "id": "relationship--825453da-b62f-4834-91b6-62a2b063ac32", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.163263Z", - "modified": "2024-05-08T15:23:01.163263Z", - "description": "Take and store data backups from pod mounted volumes for critical workloads", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--b4cebd89-9ab3-4646-92da-956b57101e44", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3736,36 +3830,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", - "created": "2024-05-08T15:23:01.165148Z", - "modified": "2024-05-08T15:23:01.165148Z", - "name": "Multi-factor authentication", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", - "external_id": "MS-M9001" - } - ], - "x_mitre_ids": [ - "M1032" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--6d794426-0ee7-4338-acca-247a712eff03", + "id": "relationship--be98309f-02c6-4dd9-be17-5461b670655a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.165242Z", - "modified": "2024-05-08T15:23:01.165242Z", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--15d09dcd-c393-4457-b1ca-2bc8d553b6f5", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3773,32 +3848,16 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", - "created": "2024-05-08T15:23:01.166941Z", - "modified": "2024-05-08T15:23:01.166941Z", - "name": "Use NodeRestriction admission controller", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", - "external_id": "MS-M9027" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--36f88ce0-287b-4ce4-b13f-8fe666379a39", + "id": "relationship--828dc85a-5944-46c0-a41a-bcfcdd8c017d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.167037Z", - "modified": "2024-05-08T15:23:01.167037Z", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--94491ee8-7e32-48f1-85c5-4b87864541ab", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3808,32 +3867,34 @@ "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { - "type": "course-of-action", + "type": "relationship", "spec_version": "2.1", - "id": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "created": "2024-05-08T15:23:01.16916Z", - "modified": "2024-05-08T15:23:01.16916Z", - "name": "Restrict exec commands on pods", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", - "external_id": "MS-M9010" - } - ] + "id": "relationship--02d31c2e-4326-4068-a3ba-24d2b58cfacc", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "relationship_type": "mitigates", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c9bf917c-a264-44c7-ba43-8a1ee750d906", + "id": "relationship--00a0c780-7ef5-4525-9fe5-76adab49c046", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.169269Z", - "modified": "2024-05-08T15:23:01.169269Z", - "description": "", + "created": "2022-10-31T06:43:11.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3844,14 +3905,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ae8e9fe9-5da8-4f57-89f1-40980305084b", + "id": "relationship--e49f5a7e-6a59-486c-8418-e9be6b4e4b50", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.169349Z", - "modified": "2024-05-08T15:23:01.169349Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--cf428e21-ea85-4cdb-b4b5-b13f82a1b707", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--2d6b7435-ac3a-4c34-8b6e-3cff28c46741", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3862,30 +3923,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", - "created": "2024-05-08T15:23:01.171336Z", - "modified": "2024-05-08T15:23:01.171336Z", - "name": "Avoid using web-hosted manifest for Kubelet", - "description": "", + "id": "course-of-action--e2f1f3d4-c5cc-4358-bb8f-65c0973d9197", + "created": "2024-05-15T03:39:58.801554Z", + "modified": "2024-05-15T03:39:58.801554Z", + "name": "Multi-factor authentication", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", - "external_id": "MS-M9032" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", + "external_id": "MS-M9001" } + ], + "x_mitre_ids": [ + "M1032" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5ee4a054-cb3c-4089-ac69-3a15443614a7", + "id": "relationship--327caaad-bf9c-40d1-8613-882e155ae89b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.171462Z", - "modified": "2024-05-08T15:23:01.171462Z", - "description": "", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", "relationship_type": "mitigates", - "source_ref": "course-of-action--11aa8351-d3ce-4944-9be0-da15142d7160", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--e2f1f3d4-c5cc-4358-bb8f-65c0973d9197", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3896,33 +3960,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "created": "2024-05-08T15:23:01.174809Z", - "modified": "2024-05-08T15:23:01.174809Z", - "name": "Restrict access to the API server using IP firewall", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "id": "course-of-action--2190c012-fadb-4384-a8ea-9b716f16c130", + "created": "2024-05-15T03:39:58.824902Z", + "modified": "2024-05-15T03:39:58.824902Z", + "name": "Set requests and limits for containers", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", - "external_id": "MS-M9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", + "external_id": "MS-M9029" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--fded3496-f58e-4fa8-976d-23792a584ef7", + "id": "relationship--53660289-54b2-48a3-a211-8712940f8a4d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.174977Z", - "modified": "2024-05-08T15:23:01.174977Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--2190c012-fadb-4384-a8ea-9b716f16c130", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3930,17 +3991,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "created": "2024-05-15T03:39:58.873258Z", + "modified": "2024-05-15T03:39:58.873258Z", + "name": "Adhere to least-privilege principle", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", + "external_id": "MS-M9003" + } + ], + "x_mitre_ids": [ + "M1018" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--812e7837-20b0-44ae-a0d1-99d2278c5ea3", + "id": "relationship--75404984-d19a-485b-8d2a-dadd3a68da94", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175071Z", - "modified": "2024-05-08T15:23:01.175071Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3951,14 +4031,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--67588996-c1c1-4ca6-b8e6-bf148a7ab816", + "id": "relationship--5baeb2ee-2860-49b6-b17a-0ff4d816da9c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175145Z", - "modified": "2024-05-08T15:23:01.175145Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3969,14 +4049,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--21f02379-2691-4f7b-b04c-3c5b717a47de", + "id": "relationship--c2889066-6374-4319-a253-ac2c3cffaf0a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175219Z", - "modified": "2024-05-08T15:23:01.175219Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -3987,14 +4067,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c0a1afd7-450a-49aa-9535-fad35b0b8ca5", + "id": "relationship--a9073c2e-b070-45d8-808a-826397daf4d1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.175281Z", - "modified": "2024-05-08T15:23:01.175281Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--dcedf795-92cc-49b0-ac42-4ca1d8ab2eca", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4002,36 +4082,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", - "created": "2024-05-08T15:23:01.177457Z", - "modified": "2024-05-08T15:23:01.177457Z", - "name": "Limit access to services over network", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", - "external_id": "MS-M9008" - } - ], - "x_mitre_ids": [ - "M1035" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--436ba6cd-33fb-4799-bcfd-ec9febd3060b", + "id": "relationship--4363a839-d70d-44ca-a38b-4c2be75ce31a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.17757Z", - "modified": "2024-05-08T15:23:01.17757Z", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--03870e17-f26d-470e-9f22-65a7af305686", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4039,36 +4100,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "created": "2024-05-08T15:23:01.182138Z", - "modified": "2024-05-08T15:23:01.182138Z", - "name": "Restrict over permissive containers", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", - "external_id": "MS-M9013" - } - ], - "x_mitre_ids": [ - "M1038" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0ccc5fc7-02fb-4ae4-abdb-1d49359bc079", + "id": "relationship--3dd59f3a-1a7a-4a24-8bce-ca0783fe8c21", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182252Z", - "modified": "2024-05-08T15:23:01.182252Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4079,14 +4121,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--02bed0a4-ddf4-456e-afeb-6173869b8843", + "id": "relationship--0952d0d8-68cb-4da5-a9fc-b27d7401b413", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182335Z", - "modified": "2024-05-08T15:23:01.182335Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4097,14 +4139,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--fe7996f1-78aa-4db5-a91f-0431ed0980c1", + "id": "relationship--05761725-e2a0-45e8-9e75-98bb1afd3c7e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182408Z", - "modified": "2024-05-08T15:23:01.182408Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4115,14 +4157,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9bbc5221-f86e-4a12-b517-4ee49a8ee18a", + "id": "relationship--aae2d0cf-2913-4d91-8bde-42c1013c5481", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182481Z", - "modified": "2024-05-08T15:23:01.182481Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4133,14 +4175,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4c290472-432f-4a14-a274-df64e034e145", + "id": "relationship--b084805c-8c2a-4eea-acd0-7bd270534836", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182548Z", - "modified": "2024-05-08T15:23:01.182548Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4151,14 +4193,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bc3c5c8b-d241-4510-9784-f8dfb5834759", + "id": "relationship--3d16ea91-7f1e-4a1f-8891-51d9b2060596", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182615Z", - "modified": "2024-05-08T15:23:01.182615Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4169,14 +4211,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--16ad6a7b-4c9c-4c2d-970f-141c688c62c9", + "id": "relationship--fe1f3e78-4984-40c4-8f61-c7ed410e682b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182685Z", - "modified": "2024-05-08T15:23:01.182685Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4187,14 +4229,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--70d230fd-d5a4-467b-879c-ba44e8d3ef7f", + "id": "relationship--efebe6bb-016d-4b38-b013-2738511aceff", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182751Z", - "modified": "2024-05-08T15:23:01.182751Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4205,14 +4247,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--e44ea84b-4bd2-48ed-ad5d-01727741d276", + "id": "relationship--2adabce8-4f25-483a-b29d-a2cd448c774e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.182821Z", - "modified": "2024-05-08T15:23:01.182821Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--de10517e-3376-4cf6-b911-b1c7f9497be0", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4220,33 +4262,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", - "created": "2024-05-08T15:23:01.184679Z", - "modified": "2024-05-08T15:23:01.184679Z", - "name": "Remove unused secrets from the cluster", - "description": "Remove unused secrets objects from the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", - "external_id": "MS-M9023" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1b81fd94-ed3d-46cd-8796-67dba801d30b", + "id": "relationship--a1d2b26e-8226-4c29-90ee-39e46e43510e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.184807Z", - "modified": "2024-05-08T15:23:01.184807Z", - "description": "Remove unused secrets objects from the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--935920ed-3bfc-4515-8f1a-c9cf6257c137", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4254,36 +4280,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "created": "2024-05-08T15:23:01.186864Z", - "modified": "2024-05-08T15:23:01.186864Z", - "name": "Collect logs to remote data storage", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", - "external_id": "MS-M9020" - } - ], - "x_mitre_ids": [ - "M1029" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1a939bbf-5c4e-413d-afa3-6921cf11638c", + "id": "relationship--b296d1ec-ac73-40c0-acc6-3a7fb72a75ea", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.186967Z", - "modified": "2024-05-08T15:23:01.186967Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4294,14 +4301,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--fb6883aa-42e3-4061-8c79-3a14b024013e", + "id": "relationship--e75ae9c8-15fe-4013-9fb7-da717aa8c4f7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.187039Z", - "modified": "2024-05-08T15:23:01.187039Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--86979444-deb0-48bc-bbcd-112f66c6bf91", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4309,36 +4316,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", - "created": "2024-05-08T15:23:01.189459Z", - "modified": "2024-05-08T15:23:01.189459Z", - "name": "Network intrusion prevention", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", - "external_id": "MS-M9007" - } - ], - "x_mitre_ids": [ - "M1031" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d4e8607e-95e0-4e42-9afb-4542e4699a88", + "id": "relationship--a7219acc-d428-4110-a9dc-53f801b8b9ca", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.189559Z", - "modified": "2024-05-08T15:23:01.189559Z", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--78d2910d-3e63-4580-af21-b83b21a5ecd1", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4346,33 +4334,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", - "created": "2024-05-08T15:23:01.191318Z", - "modified": "2024-05-08T15:23:01.191318Z", - "name": "Disable service account auto mount", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", - "external_id": "MS-M9025" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--90cda620-d637-4dcd-b94a-59a88e04176c", + "id": "relationship--016a3b3c-9749-44e1-af9a-01a084821de7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.191413Z", - "modified": "2024-05-08T15:23:01.191413Z", - "description": "", + "created": "2022-10-26T13:06:11.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--11ec9a05-7505-45d0-a138-f6144247a52e", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--f84c5c66-f106-40d1-a0d7-a8630e2dd26d", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4383,9 +4355,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", - "created": "2024-05-08T15:23:01.193294Z", - "modified": "2024-05-08T15:23:01.193294Z", + "id": "course-of-action--62db2068-1210-4cd1-bc42-e28b7cdbda37", + "created": "2024-05-15T03:39:59.247322Z", + "modified": "2024-05-15T03:39:59.247322Z", "name": "Secure CI/CD environment", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.", "external_references": [ @@ -4399,13 +4371,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--e2fdd0ef-6d58-4750-bee9-80f39d8694e1", + "id": "relationship--d659f796-5c05-4a27-bcc2-5c6d50432426", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.193396Z", - "modified": "2024-05-08T15:23:01.193396Z", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content", "relationship_type": "mitigates", - "source_ref": "course-of-action--cc1b481b-66be-42cb-a987-e8c6889b6160", + "source_ref": "course-of-action--62db2068-1210-4cd1-bc42-e28b7cdbda37", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4417,33 +4389,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", - "created": "2024-05-08T15:23:01.195159Z", - "modified": "2024-05-08T15:23:01.195159Z", - "name": "Avoid running management interface on containers", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", + "id": "course-of-action--6b136b68-ed6a-4bdf-8ffa-41250217a51e", + "created": "2024-05-15T03:39:59.282192Z", + "modified": "2024-05-15T03:39:59.282192Z", + "name": "Avoid using web-hosted manifest for Kubelet", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", - "external_id": "MS-M9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", + "external_id": "MS-M9032" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1750efbb-f8a6-4f36-8a46-5bec00eaed67", + "id": "relationship--6af7db4e-8947-4b07-ae06-103fa2ac6d13", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.195258Z", - "modified": "2024-05-08T15:23:01.195258Z", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--6196e3ad-1d3a-4990-b578-801c2d5026a6", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--6b136b68-ed6a-4bdf-8ffa-41250217a51e", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4454,33 +4423,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "created": "2024-05-08T15:23:01.19739Z", - "modified": "2024-05-08T15:23:01.19739Z", - "name": "Remove tools from container images", - "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", + "id": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "created": "2024-05-15T03:39:59.304208Z", + "modified": "2024-05-15T03:39:59.304208Z", + "name": "Require strong authentication to services", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", - "external_id": "MS-M9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", + "external_id": "MS-M9009" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--306fd68f-9390-428f-a706-b94fec13a935", + "id": "relationship--896b6a49-29b4-4739-ad32-42e4bb6ebd77", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.197569Z", - "modified": "2024-05-08T15:23:01.197569Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4491,14 +4457,32 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b5bab9ed-13d4-4f25-947d-3b5055fef187", + "id": "relationship--e79f61d1-33db-4367-920f-64ce52f833bd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.197647Z", - "modified": "2024-05-08T15:23:01.197647Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--6f45e84f-d55f-4b3a-86dd-8ba036c72492", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--914fa74c-4dc2-464c-8f4b-279df31b7561", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "relationship_type": "mitigates", + "source_ref": "course-of-action--359c06eb-717a-4d23-b605-1d87b78ad830", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4509,33 +4493,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "created": "2024-05-08T15:23:01.2003Z", - "modified": "2024-05-08T15:23:01.2003Z", - "name": "Restrict file and directory permissions", - "description": "", + "id": "course-of-action--e1cf56ed-8efd-4215-b712-175bb68464a5", + "created": "2024-05-15T03:39:59.353263Z", + "modified": "2024-05-15T03:39:59.353263Z", + "name": "Remove unused secrets from the cluster", + "description": "Remove unused secrets objects from the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", - "external_id": "MS-M9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", + "external_id": "MS-M9023" } - ], - "x_mitre_ids": [ - "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--12817f60-cc8e-4dc0-978f-982a926c7884", + "id": "relationship--fa1575b5-dbe2-492d-ae88-635e4372ee0b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.200411Z", - "modified": "2024-05-08T15:23:01.200411Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Remove unused secrets objects from the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--e1cf56ed-8efd-4215-b712-175bb68464a5", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4543,17 +4524,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "created": "2024-05-15T03:39:59.38109Z", + "modified": "2024-05-15T03:39:59.38109Z", + "name": "Use managed secret store", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", + "external_id": "MS-M9022" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3a5fbb4b-37c9-4241-95e6-e5bfcbd1d237", + "id": "relationship--b26b02dc-4166-400c-acb4-cd097a5daf22", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.200497Z", - "modified": "2024-05-08T15:23:01.200497Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4564,14 +4564,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c8de37c6-deea-416e-a650-3109ca91b365", + "id": "relationship--cee479ef-ee2a-418b-91f3-6c3919c42442", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.200566Z", - "modified": "2024-05-08T15:23:01.200566Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--44d2fefa-6a6f-4771-acd7-b81ebe8646e8", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--3a8183ce-a6c7-4f8e-b85e-d242bbf4c6bc", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4582,30 +4582,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", - "created": "2024-05-08T15:23:01.203334Z", - "modified": "2024-05-08T15:23:01.203334Z", - "name": "Gate images pushed to registries", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", + "id": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", + "created": "2024-05-15T03:39:59.428902Z", + "modified": "2024-05-15T03:39:59.428902Z", + "name": "Image assurance policy", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", - "external_id": "MS-M9005.002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", + "external_id": "MS-M9005" } ], "x_mitre_ids": [ "M1016", "M1045" - ], - "x_mitre_parent_mitigation": "MS-M9005" + ] }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "created": "2024-05-08T15:23:01.205914Z", - "modified": "2024-05-08T15:23:01.205914Z", + "id": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "created": "2024-05-15T03:39:59.440682Z", + "modified": "2024-05-15T03:39:59.440682Z", "name": "Gate generated images in CI/CD pipeline", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements.", "external_references": [ @@ -4624,29 +4623,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "created": "2024-05-08T15:23:01.209235Z", - "modified": "2024-05-08T15:23:01.209235Z", - "name": "Image assurance policy", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", + "id": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "created": "2024-05-15T03:39:59.446895Z", + "modified": "2024-05-15T03:39:59.446895Z", + "name": "Gate images pushed to registries", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", - "external_id": "MS-M9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", + "external_id": "MS-M9005.002" } ], "x_mitre_ids": [ "M1016", "M1045" - ] + ], + "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", - "created": "2024-05-08T15:23:01.213865Z", - "modified": "2024-05-08T15:23:01.213865Z", + "id": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", + "created": "2024-05-15T03:39:59.454552Z", + "modified": "2024-05-15T03:39:59.454552Z", "name": "Gate images deployed to Kubernetes cluster", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements. This can include limiting images to be deployed only from trusted registries, to have digital signature or pass vulnerability scanning and other checks. This can prevent potential adversaries from using their own malicious images in the cluster. Also, this ensures that only images that passed the security compliance policies of the organization are deployed in the cluster. Kubernetes admission controller mechanism is one of the commonly used tools for implementing such policy.", "external_references": [ @@ -4665,13 +4665,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7de0fd47-0ec4-4a60-b21c-2b045b090aae", + "id": "relationship--b3252ecd-ebb5-497f-a226-1670c2aa4ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.213976Z", - "modified": "2024-05-08T15:23:01.213976Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:59.461881Z", + "modified": "2024-05-15T06:39:59.461896Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4683,13 +4683,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ac2fd283-0d84-47e7-aaad-c507a043680f", + "id": "relationship--c791a374-fcd5-445c-8a4d-5fefebfda731", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214056Z", - "modified": "2024-05-08T15:23:01.214056Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:59.468661Z", + "modified": "2024-05-15T06:39:59.46868Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4701,13 +4701,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--55dda607-c695-48bd-85db-ea51a8c375fc", + "id": "relationship--06a78821-4833-4c71-a514-2adf1489ab28", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214133Z", - "modified": "2024-05-08T15:23:01.214133Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:59.476015Z", + "modified": "2024-05-15T06:39:59.476039Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--4d1961ab-4a76-4c14-8580-62452288725e", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4719,14 +4719,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9b510739-699f-483e-8e27-bad3a4cc8bd4", + "id": "relationship--6048772c-aa83-4a31-8542-ee56de8e75f5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214208Z", - "modified": "2024-05-08T15:23:01.214208Z", - "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", + "created": "2024-05-15T06:39:59.484265Z", + "modified": "2024-05-15T06:39:59.48429Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--3afbc5db-2e09-4430-ae8a-9d382d456745", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4737,14 +4737,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a908c426-cab6-4007-8f8b-2ae3b3dbe354", + "id": "relationship--030c2e1b-fded-490b-9840-70eb558223d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214286Z", - "modified": "2024-05-08T15:23:01.214286Z", + "created": "2024-05-15T06:39:59.494915Z", + "modified": "2024-05-15T06:39:59.494961Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4755,14 +4755,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9b0ae1d0-00ca-49a6-b481-476afd6db243", + "id": "relationship--f0817eb5-ce3c-473b-ac87-594a5fbfcb1d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214357Z", - "modified": "2024-05-08T15:23:01.214357Z", + "created": "2024-05-15T06:39:59.515232Z", + "modified": "2024-05-15T06:39:59.515286Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--e89ff43f-d691-492c-a3db-8f001ae6287e", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4773,14 +4773,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--42002b19-6fc5-4840-938a-b41d353a58f1", + "id": "relationship--cbfcf7ba-157c-46ad-ab5e-9995a1d17b14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214427Z", - "modified": "2024-05-08T15:23:01.214427Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.530478Z", + "modified": "2024-05-15T06:39:59.530528Z", + "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--fbf0136d-f1f1-42ff-9aaa-f86e0cf51f44", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4791,14 +4791,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--160b7870-ff6f-447e-aae6-ad7257da8dad", + "id": "relationship--3c94248c-554b-4f5e-93f3-be239aa80704", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214493Z", - "modified": "2024-05-08T15:23:01.214493Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.545464Z", + "modified": "2024-05-15T06:39:59.545531Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4809,14 +4809,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c31e800b-e36d-4af6-9eba-6774f2897d89", + "id": "relationship--ba036427-b112-443e-922a-6effa4289fe2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214558Z", - "modified": "2024-05-08T15:23:01.214558Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.563827Z", + "modified": "2024-05-15T06:39:59.563876Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4827,14 +4827,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--6a42219b-bcad-4d32-b411-86048a089879", + "id": "relationship--a2938105-842b-4b9a-9bf3-0c0f9be5dc87", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214624Z", - "modified": "2024-05-08T15:23:01.214624Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:59.580333Z", + "modified": "2024-05-15T06:39:59.580383Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--ebddc6a6-263d-457d-aef4-9255c5e153fc", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--f80bba5c-4cc5-40db-b857-9dc3690293f0", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" @@ -4845,13 +4845,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--76b13565-9280-4a9b-8b56-a00418f65956", + "id": "relationship--c8b8a32d-261e-4cf8-89dd-c0f6e014ad7b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214694Z", - "modified": "2024-05-08T15:23:01.214694Z", + "created": "2024-05-15T06:39:59.595737Z", + "modified": "2024-05-15T06:39:59.595791Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4863,13 +4863,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3d8ed52f-5a1b-4bdb-8bae-7c7b5929053a", + "id": "relationship--bd2b09b1-64d3-4e6f-a770-2c1c3e095d96", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.21476Z", - "modified": "2024-05-08T15:23:01.21476Z", + "created": "2024-05-15T06:39:59.61022Z", + "modified": "2024-05-15T06:39:59.610252Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4881,13 +4881,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0470cfde-1acd-4e6d-965b-c2ffe549a10a", + "id": "relationship--23af8533-2bc7-4aae-9467-c849f78471af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.214825Z", - "modified": "2024-05-08T15:23:01.214825Z", + "created": "2024-05-15T06:39:59.62498Z", + "modified": "2024-05-15T06:39:59.625021Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4899,13 +4899,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--eae9cf0e-57b7-421c-86e7-d65c10164263", + "id": "relationship--f05d85e0-511e-4d7a-871d-a2273387d507", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.21489Z", - "modified": "2024-05-08T15:23:01.21489Z", + "created": "2024-05-15T06:39:59.640478Z", + "modified": "2024-05-15T06:39:59.640515Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4917,13 +4917,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1bdee8d7-0eaf-40d6-947e-5919479b6c7c", + "id": "relationship--4489deb5-c276-47fe-93da-d8c7c8721356", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.21497Z", - "modified": "2024-05-08T15:23:01.21497Z", + "created": "2024-05-15T06:39:59.664746Z", + "modified": "2024-05-15T06:39:59.664789Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4935,13 +4935,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b831d0d0-4da9-4b3e-98c7-702ef5c75a1b", + "id": "relationship--00b767d4-2c9d-44c0-952c-681b46ac85e8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.215036Z", - "modified": "2024-05-08T15:23:01.215036Z", + "created": "2024-05-15T06:39:59.679191Z", + "modified": "2024-05-15T06:39:59.679244Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4953,13 +4953,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--412ded4c-b83f-49ee-b96c-f69ec33e4ee7", + "id": "relationship--a4e8ee97-41c6-49e0-a618-7df4952ff2ad", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.2151Z", - "modified": "2024-05-08T15:23:01.2151Z", + "created": "2024-05-15T06:39:59.694044Z", + "modified": "2024-05-15T06:39:59.694091Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4971,13 +4971,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9b0921fc-31ec-4d29-aa8c-ba904c354e31", + "id": "relationship--c85ccad8-6ab3-4025-ac93-c3f5139205cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.215168Z", - "modified": "2024-05-08T15:23:01.215168Z", + "created": "2024-05-15T06:39:59.708276Z", + "modified": "2024-05-15T06:39:59.708321Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4989,13 +4989,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--8f545287-e6e8-4020-ba06-ef2a8fe49adf", + "id": "relationship--cfd232d4-5096-4e74-8013-18bf73d99ed7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:23:01.215232Z", - "modified": "2024-05-08T15:23:01.215232Z", + "created": "2024-05-15T06:39:59.722497Z", + "modified": "2024-05-15T06:39:59.722539Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--19294424-eb08-4de3-b77b-d452f24ddc18", + "source_ref": "course-of-action--a195e772-7f21-45eb-9759-ba029f13a01e", "target_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -5007,10 +5007,10 @@ { "type": "x-mitre-matrix", "spec_version": "2.1", - "id": "x-mitre-matrix--11ac2cbb-ba21-4607-a2e4-16c89a0b09a5", + "id": "x-mitre-matrix--18d00d07-3f91-46dd-a2f3-f0f1cb83b13c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:23:01.229Z", + "modified": "2024-05-15T06:39:59.735Z", "name": "Threat Matrix for Kubernetes", "external_references": [ { @@ -5054,4 +5054,4 @@ "x_mitre_version": "0.1" } ] -} \ No newline at end of file +} diff --git a/build/tmfk_strict.json b/build/tmfk_strict.json index aa49e2c..f06ae28 100644 --- a/build/tmfk_strict.json +++ b/build/tmfk_strict.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--91b3d24b-b7e0-4c76-ae8d-e0621bb11301", + "id": "bundle--11127c22-81ff-41b9-8bf9-94e242fc6b60", "objects": [ { "type": "x-mitre-collection", @@ -8,7 +8,7 @@ "id": "x-mitre-collection--8702c9a3-cf7b-4e79-99e2-191d79c6042b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:22:56.255285Z", + "modified": "2024-05-15T06:39:51.668037Z", "name": "Threat Matrix for Kubernetes", "description": "The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", "x_mitre_attack_spec_version": "2.1.0", @@ -54,31 +54,31 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", - "object_modified": "2023-01-23T19:22:40.000Z" + "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", - "object_modified": "2022-10-27T17:00:14.000Z" + "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -86,79 +86,83 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "object_modified": "2022-12-05T07:54:00.000Z" }, - { - "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "object_modified": "2022-10-28T11:26:39.000Z" - }, { "object_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "object_modified": "2022-12-05T07:54:00.000Z" }, + { + "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "object_modified": "2023-01-23T19:22:40.000Z" + }, + { + "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "object_modified": "2022-10-28T11:26:39.000Z" + }, { "object_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -166,616 +170,612 @@ "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", - "object_modified": "2022-12-05T07:54:00.000Z" - }, - { - "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--ac59938a-311a-4b1d-ab0d-ca2d475e284c", - "object_modified": "2024-05-08T15:22:56.105508Z" + "object_ref": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "object_modified": "2024-05-15T03:39:49.593404Z" }, { - "object_ref": "relationship--684df523-a6e2-4963-b89c-12e3c6a59b77", - "object_modified": "2024-05-08T15:22:56.105747Z" + "object_ref": "relationship--1cee926a-5ce2-4ac5-941a-de6484007cc7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--e1617893-3f7b-4be8-ad56-893bfa3759cd", - "object_modified": "2024-05-08T15:22:56.107717Z" + "object_ref": "relationship--2d6ddaf0-a928-43a2-a610-9bf62c1ed0a4", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a505b3a7-d08a-4407-85a4-3cb849dd80c4", - "object_modified": "2024-05-08T15:22:56.107829Z" + "object_ref": "course-of-action--520d4254-ebd3-49e1-984f-dcf2ace87a9e", + "object_modified": "2024-05-15T03:39:49.632956Z" }, { - "object_ref": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "object_modified": "2024-05-08T15:22:56.110187Z" + "object_ref": "relationship--f8705584-7dfe-4e53-87ce-8e4e0c99cbc0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--dddf5766-1f08-477d-bbde-0edb594df29f", - "object_modified": "2024-05-08T15:22:56.110305Z" + "object_ref": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "object_modified": "2024-05-15T03:39:49.656588Z" }, { - "object_ref": "relationship--bd30de10-b0a9-4286-a31d-7c1cbd369f96", - "object_modified": "2024-05-08T15:22:56.110386Z" + "object_ref": "relationship--f3767923-01f7-4810-9ba1-9cc0032da723", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--0e1a91ca-6129-4b7e-9b05-1d3004500999", - "object_modified": "2024-05-08T15:22:56.112317Z" + "object_ref": "relationship--997ff777-3194-44ff-98c2-52918448ea32", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c38f19cf-a229-47ab-87b1-3b3473b023db", - "object_modified": "2024-05-08T15:22:56.112428Z" + "object_ref": "course-of-action--d19bd228-4302-4497-b3d5-65fe23c217e1", + "object_modified": "2024-05-15T03:39:49.692338Z" }, { - "object_ref": "course-of-action--c1159ee6-af84-4a56-a3fd-57359b498f9e", - "object_modified": "2024-05-08T15:22:56.114624Z" + "object_ref": "relationship--52acb074-9e6c-462b-9f68-b2daead4febd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--f339094b-0181-402c-b8b1-dc0abecc1376", - "object_modified": "2024-05-08T15:22:56.114727Z" + "object_ref": "course-of-action--c3ebbc7f-5b27-4a32-9612-81af964e1fa6", + "object_modified": "2024-05-15T03:39:49.713824Z" }, { - "object_ref": "course-of-action--79053c9f-34ea-444f-8e97-827c60881e51", - "object_modified": "2024-05-08T15:22:56.116769Z" + "object_ref": "relationship--05af345e-2386-45e6-9b5f-b42a7e3f963b", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "relationship--d4dd453f-66ce-42f0-816e-bdad2c1dd18e", - "object_modified": "2024-05-08T15:22:56.116875Z" + "object_ref": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", + "object_modified": "2024-05-15T03:39:49.738357Z" }, { - "object_ref": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "object_modified": "2024-05-08T15:22:56.119383Z" + "object_ref": "relationship--21b8bc42-4f8b-48d4-bd6a-6d167c6bc3cb", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--0c551a23-0a7b-41de-bffd-a19e4ecee79e", - "object_modified": "2024-05-08T15:22:56.119488Z" + "object_ref": "relationship--e87cab35-468b-46bc-a7ed-7378ec79c528", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--0b914519-e08f-4e56-9a68-a9cebb1c1d4a", - "object_modified": "2024-05-08T15:22:56.119567Z" + "object_ref": "course-of-action--68fb6dea-250a-4980-b700-68e3d476fc53", + "object_modified": "2024-05-15T03:39:49.775718Z" }, { - "object_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "object_modified": "2024-05-08T15:22:56.122732Z" + "object_ref": "relationship--127a742e-4abb-4be2-8647-d6db0955fed0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--7bbe05c2-60af-4088-ace6-94f4f071df19", - "object_modified": "2024-05-08T15:22:56.122846Z" + "object_ref": "course-of-action--f1c844f3-f0df-45c8-8977-1e83897a490f", + "object_modified": "2024-05-15T03:39:49.794023Z" }, { - "object_ref": "relationship--2d8245fd-ef52-41a9-a4ae-5aaa3921aefe", - "object_modified": "2024-05-08T15:22:56.122926Z" + "object_ref": "relationship--1d3d2200-a69d-492a-8e8e-da998e38b52b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--45d6494c-98b2-4720-9f60-0fd0f7c98726", - "object_modified": "2024-05-08T15:22:56.123003Z" + "object_ref": "course-of-action--c78016d9-1088-4355-9c07-15afa17c30ba", + "object_modified": "2024-05-15T03:39:49.806472Z" }, { - "object_ref": "relationship--90f62dcd-d7e7-44e3-b445-5a642f5de126", - "object_modified": "2024-05-08T15:22:56.123072Z" + "object_ref": "relationship--7f80fc51-faa5-449a-8795-77b1d7d38249", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "object_modified": "2024-05-08T15:22:56.15468Z" + "object_ref": "course-of-action--bd8a1f81-5681-4b09-86a3-60e4a1339332", + "object_modified": "2024-05-15T03:39:49.822823Z" }, { - "object_ref": "relationship--b44efe83-3469-4a9c-b8c6-53b874056843", - "object_modified": "2024-05-08T15:22:56.15482Z" + "object_ref": "relationship--53dd1c67-71fc-4966-80b4-e77583e2ef8e", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "relationship--23143241-f6d3-42a0-9469-53edf84f0e0f", - "object_modified": "2024-05-08T15:22:56.154905Z" + "object_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "object_modified": "2024-05-15T03:39:49.856437Z" }, { - "object_ref": "relationship--848b4d5c-90d1-4482-b251-adcc7cc17891", - "object_modified": "2024-05-08T15:22:56.154975Z" + "object_ref": "relationship--9372f1ae-40cc-4952-bbcf-f22b89a372bd", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--72c5ef65-0a46-48f0-90bd-7fa8eb3b1939", - "object_modified": "2024-05-08T15:22:56.15504Z" + "object_ref": "relationship--15ac3b60-3bd6-4381-ad36-9160702e746b", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--5ba9c263-a863-4192-beed-f1e9ed42674f", - "object_modified": "2024-05-08T15:22:56.155104Z" + "object_ref": "relationship--bf5f4a2f-14dc-409c-b93c-364111d0dbc6", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--d1b623d5-b933-441d-8894-22bd5dd44117", - "object_modified": "2024-05-08T15:22:56.155171Z" + "object_ref": "relationship--e2954083-f170-4032-9f0a-3a13f8d55b7c", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--efb0998c-99dd-44a1-944b-da25cbb9bea2", - "object_modified": "2024-05-08T15:22:56.155238Z" + "object_ref": "relationship--d99027db-b6c3-4e63-bf38-8c2c32ee4bd6", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--cf9f87de-2a3b-46fc-84ef-4e925923b5e4", - "object_modified": "2024-05-08T15:22:56.155302Z" + "object_ref": "relationship--23b37f44-775f-4c0e-b631-b1f423a6a60f", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--2d46b6e7-1230-4faf-a8ad-e12235ee7ea4", - "object_modified": "2024-05-08T15:22:56.155365Z" + "object_ref": "relationship--7b499331-659d-4d8a-849f-a79df719852e", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--72a148ee-50f9-4e3b-a937-3c08256b1ed7", - "object_modified": "2024-05-08T15:22:56.155432Z" + "object_ref": "relationship--4861b510-27a7-413a-91a6-80952fb4f1f2", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--bd7dbd2b-a07e-4bf9-a4c8-beb6f5c2dd50", - "object_modified": "2024-05-08T15:22:56.155493Z" + "object_ref": "relationship--a4bad130-89bb-4d8b-b2cb-a102501a7806", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--7478fe08-c216-44bf-bede-f13f941b7f29", - "object_modified": "2024-05-08T15:22:56.155554Z" + "object_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "object_modified": "2024-05-15T03:39:49.989843Z" }, { - "object_ref": "relationship--78717954-c8b0-4282-81cc-2c85a049a449", - "object_modified": "2024-05-08T15:22:56.155617Z" + "object_ref": "relationship--c2bf159f-3b91-4a6e-8604-1e818d992b4e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--844c1b1d-3cee-4c6b-a27f-1c1733704dfa", - "object_modified": "2024-05-08T15:22:56.155679Z" + "object_ref": "relationship--4d3608f4-edbb-406d-a903-7f4f1ecad5db", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--f00a996f-9c64-4ef1-8c93-0e9f5d93c836", - "object_modified": "2024-05-08T15:22:56.15574Z" + "object_ref": "relationship--17ebe0b8-ba9b-4a92-9093-dbda15d80621", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--68813965-9188-431b-918d-fb91ca2f1f06", - "object_modified": "2024-05-08T15:22:56.1558Z" + "object_ref": "relationship--aa539a34-7282-4f93-a201-880603aa7e5c", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--32f00bea-6a7d-4c35-9fce-42afca7ede41", - "object_modified": "2024-05-08T15:22:56.155861Z" + "object_ref": "relationship--bc844fa6-71ac-4b9d-a831-dc67509f5af1", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--5f338d5a-3d04-46a2-8baa-a29a3d60567b", - "object_modified": "2024-05-08T15:22:56.155922Z" + "object_ref": "relationship--ae4cd2da-2261-4ec5-be1f-74e48e3d12c3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--3695fbaa-c940-4482-8d6f-1857521374f4", - "object_modified": "2024-05-08T15:22:56.155983Z" + "object_ref": "relationship--e57186e7-9fee-4ab1-b016-d1451f52fea0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "object_modified": "2024-05-08T15:22:56.159781Z" + "object_ref": "course-of-action--e2750236-3a09-4c64-97f4-8105d08d773c", + "object_modified": "2024-05-15T03:39:50.110727Z" }, { - "object_ref": "relationship--591612f8-a5a7-4161-861b-64693ee49557", - "object_modified": "2024-05-08T15:22:56.159973Z" + "object_ref": "relationship--f379373c-8822-4c48-8911-210df5418bb5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--2adc1cb3-3614-410c-b549-1c81de3ea1b2", - "object_modified": "2024-05-08T15:22:56.160056Z" + "object_ref": "course-of-action--51d41dfb-5f49-477a-8377-b0e534432991", + "object_modified": "2024-05-15T03:39:50.135881Z" }, { - "object_ref": "relationship--30d2e91b-ae8e-4886-a605-d61f12904201", - "object_modified": "2024-05-08T15:22:56.160125Z" + "object_ref": "relationship--260fd263-0f63-486c-85f2-73d603efc5b8", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c3bb518a-5b52-4b31-b78f-f5fcc949736c", - "object_modified": "2024-05-08T15:22:56.160193Z" + "object_ref": "course-of-action--a09ce953-17ee-47bb-b2d0-9338767d0d4d", + "object_modified": "2024-05-15T03:39:50.165211Z" }, { - "object_ref": "relationship--ee884f9c-ff11-41ae-88e0-3b01b047640c", - "object_modified": "2024-05-08T15:22:56.160265Z" + "object_ref": "relationship--f43769b5-3a95-4bee-a453-bb8665c264d7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1dd70791-0859-4bd6-97de-c0db2e34beb2", - "object_modified": "2024-05-08T15:22:56.160332Z" + "object_ref": "course-of-action--925b3e24-eb25-4c68-b3fe-2165d14d96a6", + "object_modified": "2024-05-15T03:39:50.191364Z" }, { - "object_ref": "relationship--23432974-c2b0-4a4f-a61a-464032513031", - "object_modified": "2024-05-08T15:22:56.160398Z" + "object_ref": "relationship--b444a265-fde8-4492-8318-3899451a74d6", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "object_modified": "2024-05-08T15:22:56.164478Z" + "object_ref": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "object_modified": "2024-05-15T03:39:50.211723Z" }, { - "object_ref": "relationship--9084a585-125b-48a8-b5c5-253fe50cd45f", - "object_modified": "2024-05-08T15:22:56.164583Z" + "object_ref": "relationship--218b9d58-20b0-4ce4-844e-0118e8d99774", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--eba9530a-3b27-4aac-9fb3-af44b91370ea", - "object_modified": "2024-05-08T15:22:56.16466Z" + "object_ref": "relationship--e4ef9577-a365-410d-8364-d0bb066f42bf", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--7fce2c6d-7b4f-4a73-a763-5eb8c1ce476b", - "object_modified": "2024-05-08T15:22:56.164731Z" + "object_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "object_modified": "2024-05-15T03:39:50.25828Z" }, { - "object_ref": "relationship--0ccf0337-e389-4e82-86c7-c3f3d6d715d8", - "object_modified": "2024-05-08T15:22:56.164799Z" + "object_ref": "relationship--c5ee99c3-a3f5-48c3-b3cc-e016aaad30f3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--efec075f-2e2a-4a46-8c3b-87f79852ac4b", - "object_modified": "2024-05-08T15:22:56.164866Z" + "object_ref": "relationship--fb36acc7-8b7c-4be6-a6dd-58ef99e8a4d1", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a13556e9-ad9f-45a9-a3f1-af748f1fb09e", - "object_modified": "2024-05-08T15:22:56.164933Z" + "object_ref": "relationship--51aea02b-f08b-4911-a7b3-3c615012e191", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b9124650-895d-4271-9829-08710a1c3377", - "object_modified": "2024-05-08T15:22:56.165Z" + "object_ref": "relationship--88e2fc55-9489-4b4e-adb2-fd4c703be960", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--a1b1f3b9-26b7-47cf-b212-79fbf0f75fde", - "object_modified": "2024-05-08T15:22:56.166862Z" + "object_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "object_modified": "2024-05-15T03:39:50.34653Z" }, { - "object_ref": "relationship--2f2ad783-e5f7-49fc-948b-61f03ce598b5", - "object_modified": "2024-05-08T15:22:56.166947Z" + "object_ref": "relationship--395815eb-8041-4873-9b8b-8d2bbbe09e9b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "object_modified": "2024-05-08T15:22:56.169861Z" + "object_ref": "relationship--d4fb6853-ce8f-4ad3-891c-75c5f5185be9", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--480263be-2153-4749-9148-70164682e46d", - "object_modified": "2024-05-08T15:22:56.16995Z" + "object_ref": "relationship--575c4dfa-84f1-4f4b-97c0-562c4be5ab79", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--f63fa307-e4f1-4d4b-9135-486454913410", - "object_modified": "2024-05-08T15:22:56.17002Z" + "object_ref": "relationship--548c7c7c-30f8-454f-bc8a-162262415b42", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--37386587-467b-4334-877a-57a33828a55e", - "object_modified": "2024-05-08T15:22:56.170088Z" + "object_ref": "relationship--f21d594d-a2c4-465f-9363-cb6f8cd513d0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "object_modified": "2024-05-08T15:22:56.172279Z" + "object_ref": "course-of-action--911f0f2c-0be0-40bb-95e3-f6b9c200a9eb", + "object_modified": "2024-05-15T03:39:50.432865Z" }, { - "object_ref": "relationship--f74b5496-c7e5-4aa7-be3a-0d16d161bda1", - "object_modified": "2024-05-08T15:22:56.172377Z" + "object_ref": "relationship--052962f9-6bac-4e77-be11-b0a77cf325f8", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--bc614ef9-78dd-40f2-ab07-c7c9e12b963f", - "object_modified": "2024-05-08T15:22:56.172455Z" + "object_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "object_modified": "2024-05-15T03:39:50.450136Z" }, { - "object_ref": "course-of-action--b2f07c19-8b55-48bf-9542-2b6fc552e8ef", - "object_modified": "2024-05-08T15:22:56.174374Z" + "object_ref": "relationship--5296d9e7-1a11-4bca-8eeb-f8449e39a4d6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d077a740-aa3c-438f-9b15-6293a1da5bcf", - "object_modified": "2024-05-08T15:22:56.174484Z" + "object_ref": "relationship--ab838d60-4c41-4293-b77c-09e4a4a9cd62", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--e97e7d91-2157-455c-8735-e8b923c89674", - "object_modified": "2024-05-08T15:22:56.176356Z" + "object_ref": "relationship--cedd7e41-7f86-4ae8-b52e-c18069ed209e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d8a67cab-2aec-4885-b4b5-65caed8d3bc1", - "object_modified": "2024-05-08T15:22:56.176459Z" + "object_ref": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "object_modified": "2024-05-15T03:39:50.500751Z" }, { - "object_ref": "course-of-action--2ac38e43-d1e4-42a7-9200-3c66b2a14f2a", - "object_modified": "2024-05-08T15:22:56.178317Z" + "object_ref": "relationship--120b8e99-ff14-49c3-8d60-3afb877a2705", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1490c81e-60bf-4e7a-91de-082c18d8c07b", - "object_modified": "2024-05-08T15:22:56.178441Z" + "object_ref": "relationship--be9f0971-16e6-4067-b560-085cae7145f0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--43c3ee3b-415b-42f4-9196-a75c08ef951a", - "object_modified": "2024-05-08T15:22:56.180191Z" + "object_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "object_modified": "2024-05-15T03:39:50.549988Z" }, { - "object_ref": "relationship--90678f01-47c5-4838-98e7-d01eebfa0d28", - "object_modified": "2024-05-08T15:22:56.180298Z" + "object_ref": "relationship--fc44ddb8-eb0c-4d96-abb0-547f3aad03bb", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "object_modified": "2024-05-08T15:22:56.182403Z" + "object_ref": "relationship--dc579813-666e-4365-851b-357b41ee17fc", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--cd35cbd7-4b93-4b58-a07e-365899f9f6e3", - "object_modified": "2024-05-08T15:22:56.182509Z" + "object_ref": "relationship--0ecd2aca-11a3-4f9f-9bbd-ce78673bdd11", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--d0a52dac-8d12-4cea-8907-3214a272ce87", - "object_modified": "2024-05-08T15:22:56.182588Z" + "object_ref": "relationship--c59e7256-0fa5-478e-8597-e4116c67d234", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--12809894-059a-4bb9-a7c3-37c64de36bd5", - "object_modified": "2024-05-08T15:22:56.184338Z" + "object_ref": "relationship--59fe1010-17ca-46e4-86b4-82a6507c0274", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--b732d3c6-24e8-47ec-b8ba-3824fad3561d", - "object_modified": "2024-05-08T15:22:56.184502Z" + "object_ref": "relationship--74740cef-789c-419b-8ef4-be1b91411f77", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "object_modified": "2024-05-08T15:22:56.187533Z" + "object_ref": "relationship--33e1bea6-768f-44bf-9fcb-8d1e3907ef2a", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--1d4b575d-5a95-4894-9d35-3b1abcb99dbd", - "object_modified": "2024-05-08T15:22:56.187631Z" + "object_ref": "course-of-action--1e89ed15-2cc3-4559-b971-727257bb3468", + "object_modified": "2024-05-15T03:39:50.684929Z" }, { - "object_ref": "relationship--5b895b8e-f2fa-4f83-be17-09f47e8678b9", - "object_modified": "2024-05-08T15:22:56.187712Z" + "object_ref": "relationship--ca42a472-3bf3-4e21-ad6f-b30c421c39a3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--21c02ea0-80b1-43a6-bc0d-cec13a726e09", - "object_modified": "2024-05-08T15:22:56.187782Z" + "object_ref": "course-of-action--88846ecd-3066-403b-ae1e-14990aec7b89", + "object_modified": "2024-05-15T03:39:50.708572Z" }, { - "object_ref": "relationship--b8010747-c436-4478-ad8a-05aa0d650815", - "object_modified": "2024-05-08T15:22:56.18785Z" + "object_ref": "relationship--a8a8174f-cace-4014-8ba5-19ac6405fd6d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--ec5feb2f-3ba6-430c-8243-a362334423f6", - "object_modified": "2024-05-08T15:22:56.187921Z" + "object_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "object_modified": "2024-05-15T03:39:50.779693Z" }, { - "object_ref": "course-of-action--145627ab-4c2f-4817-9cc7-3541c4b2132d", - "object_modified": "2024-05-08T15:22:56.190096Z" + "object_ref": "relationship--6439eb96-2128-4a10-bc35-245772507eaa", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--2cdf3dab-2a3c-4a54-86f0-d2dac4ed5caa", - "object_modified": "2024-05-08T15:22:56.190183Z" + "object_ref": "relationship--0099590d-c613-4183-90ef-0677a5cee5e0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "object_modified": "2024-05-08T15:22:56.194751Z" + "object_ref": "relationship--c0a48420-db41-473c-a6c0-1e13a3d10186", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a146eb92-2664-4266-bcca-296096759948", - "object_modified": "2024-05-08T15:22:56.194859Z" + "object_ref": "relationship--ffc80eef-fce9-4a9c-a6cc-64a06bd04c09", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--76f97393-3394-4fc6-96bc-720d3f801545", - "object_modified": "2024-05-08T15:22:56.194937Z" + "object_ref": "relationship--5e215619-4747-40ee-b7d8-cb99f43dcc02", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--65c74fcc-0a2b-48f5-8140-d1724dbc0152", - "object_modified": "2024-05-08T15:22:56.195007Z" + "object_ref": "relationship--eff8b137-592b-4e24-b9d0-84d0b4ecd36c", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a4297d46-5ef6-48ee-a7ec-9c81c2104efb", - "object_modified": "2024-05-08T15:22:56.195074Z" + "object_ref": "relationship--2ee66121-66fb-4322-bf90-a304269cc9ca", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b455b577-b0a4-4b5e-b309-4399ffdb96d8", - "object_modified": "2024-05-08T15:22:56.195142Z" + "object_ref": "relationship--439dbd19-7acb-4f32-ad8c-9cbdfd051ace", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a3c5cc70-8051-4ee7-9103-8577d26bb3de", - "object_modified": "2024-05-08T15:22:56.195207Z" + "object_ref": "relationship--8b515b19-c9dd-4ff8-a0c9-5e8a53b8704e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--81017d21-8a48-428c-8c20-7bedbb7c9274", - "object_modified": "2024-05-08T15:22:56.195273Z" + "object_ref": "relationship--177ce49d-d707-4a60-8758-3008ca687648", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--ea7b2c95-feae-4263-8972-1153520e12bb", - "object_modified": "2024-05-08T15:22:56.195338Z" + "object_ref": "relationship--1ef5a845-4abd-4dfa-a3fa-07614488bb92", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d6a40a98-8a52-4531-9c32-a407d8c715dc", - "object_modified": "2024-05-08T15:22:56.195403Z" + "object_ref": "relationship--597c4e29-5e2b-413e-85b3-156207c18632", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--078074f8-e7ee-4480-adc4-319dd516eeca", - "object_modified": "2024-05-08T15:22:56.197061Z" + "object_ref": "relationship--a17ec211-c097-4b29-b6f3-cf70f2a40917", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4a74f882-fc51-4b69-9133-d4d2cdc8cba4", - "object_modified": "2024-05-08T15:22:56.197159Z" + "object_ref": "relationship--6f44a207-12a9-4211-a943-ba64ae52a24f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "object_modified": "2024-05-08T15:22:56.199422Z" + "object_ref": "relationship--0e71454a-a992-44ae-ae75-a355d6f04b0a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9daf3409-b091-43a4-93fe-00cfede88603", - "object_modified": "2024-05-08T15:22:56.199528Z" + "object_ref": "relationship--29059bde-e9aa-49d6-afd6-d6aac181369f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--971dbbb2-612c-4cab-b442-e50892920edd", - "object_modified": "2024-05-08T15:22:56.199605Z" + "object_ref": "relationship--1cd92ebc-5be0-4b93-8067-f64d40a8eb37", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--c17f9a3f-ef25-4c11-ae3a-37d33049134d", - "object_modified": "2024-05-08T15:22:56.201611Z" + "object_ref": "relationship--58d81031-aac2-416c-a191-703afb143397", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--efdd2248-5844-4b83-8b88-ddc9f10e3311", - "object_modified": "2024-05-08T15:22:56.201719Z" + "object_ref": "relationship--0bbe557c-9ac5-4349-bcd5-6ed0df52dfdd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--16b1618d-8f02-412b-8344-dcc66fafd08f", - "object_modified": "2024-05-08T15:22:56.203489Z" + "object_ref": "course-of-action--f67dcfd5-3ee8-4100-9d60-665aa3f98dc1", + "object_modified": "2024-05-15T03:39:51.142006Z" }, { - "object_ref": "relationship--9d5118f8-227f-4875-b9c1-d45ec317f7e8", - "object_modified": "2024-05-08T15:22:56.203589Z" + "object_ref": "relationship--fbe192dc-787b-45ae-90e8-cf184b867d6a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--2e0b0daa-c0e9-42c7-807e-6f3fd0872882", - "object_modified": "2024-05-08T15:22:56.205377Z" + "object_ref": "course-of-action--91b29f5f-3691-4f7f-a23a-b104a93fa10a", + "object_modified": "2024-05-15T03:39:51.164002Z" }, { - "object_ref": "relationship--516c362d-01e1-44df-9b7c-29f243f27a89", - "object_modified": "2024-05-08T15:22:56.205477Z" + "object_ref": "relationship--4790d8c7-e38d-4515-b52a-e3c67181d9f2", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--3b86fb19-87fc-4765-8ae0-1230ce738c2a", - "object_modified": "2024-05-08T15:22:56.207152Z" + "object_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "object_modified": "2024-05-15T03:39:51.196889Z" }, { - "object_ref": "relationship--021a4287-68df-4d15-a53d-aca210ac5fba", - "object_modified": "2024-05-08T15:22:56.207254Z" + "object_ref": "relationship--57ca0b03-fe25-4502-bd10-9457f9018d6f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "object_modified": "2024-05-08T15:22:56.209345Z" + "object_ref": "relationship--94ccb16c-7a52-4145-a3b4-f7561e17494b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9cfdb87c-af40-45a3-ab41-108b2171cc7a", - "object_modified": "2024-05-08T15:22:56.209448Z" + "object_ref": "relationship--d3f0e11e-0329-4cab-aa8c-b4f7b09f472e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4c8ed604-f737-4520-a091-dbeb148d9fc2", - "object_modified": "2024-05-08T15:22:56.209526Z" + "object_ref": "course-of-action--0fbf6f7c-0e57-4deb-95c1-b7b35d6e0ef7", + "object_modified": "2024-05-15T03:39:51.2552Z" }, { - "object_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "object_modified": "2024-05-08T15:22:56.212461Z" + "object_ref": "relationship--11a97dca-c8a3-437d-a1e0-e855232bd9c3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--bb9a35da-8778-4d5f-a5fe-9d71c531ed7e", - "object_modified": "2024-05-08T15:22:56.212566Z" + "object_ref": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "object_modified": "2024-05-15T03:39:51.280318Z" }, { - "object_ref": "relationship--1858f521-084f-4965-a366-d7188de510e8", - "object_modified": "2024-05-08T15:22:56.212643Z" + "object_ref": "relationship--566a170f-76c6-4a7e-8c22-d02c39def619", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--cce2028a-859d-4e6f-bfc1-4cc776ee1580", - "object_modified": "2024-05-08T15:22:56.212722Z" + "object_ref": "relationship--3edc3696-1ecc-4493-b160-0eb35dbb153d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", - "object_modified": "2024-05-08T15:22:56.215558Z" + "object_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", + "object_modified": "2024-05-15T03:39:51.325172Z" }, { - "object_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "object_modified": "2024-05-08T15:22:56.218185Z" + "object_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "object_modified": "2024-05-15T03:39:51.333113Z" }, { - "object_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "object_modified": "2024-05-08T15:22:56.221362Z" + "object_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "object_modified": "2024-05-15T03:39:51.337162Z" }, { - "object_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", - "object_modified": "2024-05-08T15:22:56.225976Z" + "object_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", + "object_modified": "2024-05-15T03:39:51.343565Z" }, { - "object_ref": "relationship--782c7775-83f3-4459-8fb9-28da08fdee61", - "object_modified": "2024-05-08T15:22:56.226156Z" + "object_ref": "relationship--d5807d7e-f2c8-4327-990a-e4af75a0bc0d", + "object_modified": "2024-05-15T06:39:51.351246Z" }, { - "object_ref": "relationship--1ce40510-0136-4ae0-a9f8-8f3ec51f8864", - "object_modified": "2024-05-08T15:22:56.226244Z" + "object_ref": "relationship--437f7861-883a-4867-91db-baf03277714c", + "object_modified": "2024-05-15T06:39:51.359354Z" }, { - "object_ref": "relationship--81ec6e6f-fa3f-4040-a724-833699364643", - "object_modified": "2024-05-08T15:22:56.226315Z" + "object_ref": "relationship--1791ff5f-a7fe-4a8c-867f-7e4d4457ce04", + "object_modified": "2024-05-15T06:39:51.37402Z" }, { - "object_ref": "relationship--2c6feeef-2531-451c-9e47-a13a805a4de0", - "object_modified": "2024-05-08T15:22:56.226383Z" + "object_ref": "relationship--fe50d167-7eac-4b71-9df8-8d7d11926ddf", + "object_modified": "2024-05-15T06:39:51.386741Z" }, { - "object_ref": "relationship--bbdc57a5-e9ed-46a2-b3d4-3ee56d8af96f", - "object_modified": "2024-05-08T15:22:56.226449Z" + "object_ref": "relationship--dfbf2ef0-8462-45f4-a8c6-f11f23d63772", + "object_modified": "2024-05-15T06:39:51.400957Z" }, { - "object_ref": "relationship--5965c723-db2a-4155-b030-b81df136f30d", - "object_modified": "2024-05-08T15:22:56.226518Z" + "object_ref": "relationship--82395a4c-bfed-47bd-807b-3cb03a841444", + "object_modified": "2024-05-15T06:39:51.414656Z" }, { - "object_ref": "relationship--ef484610-1321-492b-af5b-53474922901a", - "object_modified": "2024-05-08T15:22:56.22659Z" + "object_ref": "relationship--c55c3f5c-434f-499b-8d81-cee4a6ac7e1f", + "object_modified": "2024-05-15T06:39:51.429746Z" }, { - "object_ref": "relationship--d901a4f8-0606-4f4a-9492-73a13c34322c", - "object_modified": "2024-05-08T15:22:56.226665Z" + "object_ref": "relationship--064d14e1-cd81-4478-9b06-440eda1fc860", + "object_modified": "2024-05-15T06:39:51.444833Z" }, { - "object_ref": "relationship--3efd61e1-bd89-4247-8e79-6ce2cbfd02a4", - "object_modified": "2024-05-08T15:22:56.226731Z" + "object_ref": "relationship--b875a9d5-550b-47e5-89fa-e76b3d86b7dd", + "object_modified": "2024-05-15T06:39:51.4605Z" }, { - "object_ref": "relationship--5bce60d2-b755-4e27-8de0-e0038326bfec", - "object_modified": "2024-05-08T15:22:56.226798Z" + "object_ref": "relationship--58581176-17db-460f-96e3-4cb863d9af1d", + "object_modified": "2024-05-15T06:39:51.476676Z" }, { - "object_ref": "relationship--3ddb2c6b-331e-487a-9855-96dd151f9867", - "object_modified": "2024-05-08T15:22:56.226867Z" + "object_ref": "relationship--f2921043-7046-4c06-bc44-b90a5c37c4af", + "object_modified": "2024-05-15T06:39:51.493963Z" }, { - "object_ref": "relationship--ad664846-1b62-4e02-8ce0-623262539cf3", - "object_modified": "2024-05-08T15:22:56.226933Z" + "object_ref": "relationship--639ad88a-b3b9-423f-9987-877c08f0e1b2", + "object_modified": "2024-05-15T06:39:51.518948Z" }, { - "object_ref": "relationship--818f2493-52f8-4de3-8a76-26bd4052f960", - "object_modified": "2024-05-08T15:22:56.227002Z" + "object_ref": "relationship--7952a030-cadf-41a2-96f2-11081f6b8f56", + "object_modified": "2024-05-15T06:39:51.534211Z" }, { - "object_ref": "relationship--9dfe3caa-7bcd-469c-8d8d-ff81bf8eb61e", - "object_modified": "2024-05-08T15:22:56.227071Z" + "object_ref": "relationship--d634d899-4763-406f-832c-093eab2072d0", + "object_modified": "2024-05-15T06:39:51.548301Z" }, { - "object_ref": "relationship--069fcf2f-4170-4e63-9360-1bf93c20315b", - "object_modified": "2024-05-08T15:22:56.227135Z" + "object_ref": "relationship--9ba23a5c-ccdb-4a05-ab6e-66123659c312", + "object_modified": "2024-05-15T06:39:51.562901Z" }, { - "object_ref": "relationship--2353bac2-6ec5-4a61-acad-b9e42591c080", - "object_modified": "2024-05-08T15:22:56.2272Z" + "object_ref": "relationship--4e263973-3d3e-45bb-a496-f5f033294bc4", + "object_modified": "2024-05-15T06:39:51.5779Z" }, { - "object_ref": "relationship--b4208483-e02b-4e4b-b303-264f034c2084", - "object_modified": "2024-05-08T15:22:56.227264Z" + "object_ref": "relationship--8b211336-1561-4b85-be2a-308d20b1f3b5", + "object_modified": "2024-05-15T06:39:51.595167Z" }, { - "object_ref": "relationship--4cf8585c-b005-4c2e-8dcd-7d4a3c0af182", - "object_modified": "2024-05-08T15:22:56.227329Z" + "object_ref": "relationship--9d0123fe-7884-4240-b246-d073b91dd1c6", + "object_modified": "2024-05-15T06:39:51.60971Z" }, { - "object_ref": "relationship--9f441bcf-b520-42be-bac8-fb0065b002ac", - "object_modified": "2024-05-08T15:22:56.227393Z" + "object_ref": "relationship--44605b12-a205-4764-bbda-c1ec86bfbf48", + "object_modified": "2024-05-15T06:39:51.62555Z" }, { - "object_ref": "x-mitre-matrix--72e4aa48-183b-4dd1-ab2e-f0bf87259ed8", - "object_modified": "2024-05-08T18:22:56.242Z" + "object_ref": "x-mitre-matrix--8891ab92-0b5d-4c1a-8c71-3cabe88ed697", + "object_modified": "2024-05-15T06:39:51.640Z" }, { "object_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", @@ -1027,28 +1027,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2023-01-23T19:22:40.000Z", - "name": "Access cloud resources", - "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", + "created": "2022-10-02T18:11:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Container service account", + "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "credential-access" }, { "kill_chain_name": "tmfk", "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "tmfk", + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", - "external_id": "MS-TA9020" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", + "external_id": "MS-TA9016" } ], "x_mitre_domains": [ @@ -1056,7 +1060,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.004" + "T1528" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1067,24 +1071,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Bash or cmd inside container", - "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", + "name": "Clear container logs", + "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", - "external_id": "MS-TA9007" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", + "external_id": "MS-TA9021" } ], "x_mitre_domains": [ @@ -1092,7 +1096,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1059" + "T1070" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1103,24 +1107,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Cluster-admin binding", - "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Data destruction", + "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", - "external_id": "MS-TA9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", + "external_id": "MS-TA9038" } ], "x_mitre_domains": [ @@ -1128,7 +1132,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.003" + "T1485" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1139,24 +1143,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Privileged container", - "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "CoreDNS poisoning", + "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", - "external_id": "MS-TA9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", + "external_id": "MS-TA9035" } ], "x_mitre_domains": [ @@ -1164,7 +1168,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1175,24 +1179,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Kubernetes API server", - "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Backdoor container", + "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", - "external_id": "MS-TA9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", + "external_id": "MS-TA9012" } ], "x_mitre_domains": [ @@ -1200,7 +1204,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1543" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1211,28 +1215,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application credentials in configuration files", - "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "name": "Pod or container name similarity", + "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", - "external_id": "MS-TA9027" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", + "external_id": "MS-TA9023" } ], "x_mitre_domains": [ @@ -1240,7 +1240,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552" + "T1036.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1251,24 +1251,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Data destruction", - "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", + "name": "Access Managed Identity credentials", + "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "impact" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", - "external_id": "MS-TA9038" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", + "external_id": "MS-TA9028" } ], "x_mitre_domains": [ @@ -1276,7 +1276,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1485" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1320,24 +1320,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Denial of service", - "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Access Kubelet API", + "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "impact" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", - "external_id": "MS-TA9040" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", + "external_id": "MS-TA9030" } ], "x_mitre_domains": [ @@ -1345,8 +1345,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1498", - "T1499" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1357,24 +1356,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Clear container logs", - "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", + "name": "Images from a private registry", + "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", - "external_id": "MS-TA9021" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", + "external_id": "MS-TA9037" } ], "x_mitre_domains": [ @@ -1382,7 +1381,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1530" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1393,60 +1392,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "Sidecar injection", - "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", + "name": "Writable hostPath mount", + "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "external_references": [ + "phase_name": "persistence" + }, { - "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", - "external_id": "MS-TA9011" - } - ], - "x_mitre_domains": [ - "tmfk" - ], - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1610" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Kubernetes" - ], - "x_mitre_version": "1.0" - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Managed Identity credentials", - "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", - "kill_chain_phases": [ + "kill_chain_name": "tmfk", + "phase_name": "privilege-escalation" + }, { "kill_chain_name": "tmfk", - "phase_name": "credential-access" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", - "external_id": "MS-TA9028" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", + "external_id": "MS-TA9013" } ], "x_mitre_domains": [ @@ -1454,7 +1425,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1611" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1501,30 +1472,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "SSH server running inside container", - "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", + "name": "Using cloud credentials", + "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", - "external_id": "MS-TA9010" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", + "external_id": "MS-TA9001" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1078.004" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -1534,24 +1508,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "New container", - "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", + "name": "Mount service principal", + "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", - "external_id": "MS-TA9008" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", + "external_id": "MS-TA9026" } ], "x_mitre_domains": [ @@ -1559,7 +1533,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1552.001" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1570,28 +1544,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-31T06:43:11.000Z", - "name": "Exposed sensitive interfaces", - "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", + "modified": "2023-01-23T19:22:40.000Z", + "name": "Access cloud resources", + "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "privilege-escalation" }, { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", - "external_id": "MS-TA9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", + "external_id": "MS-TA9020" } ], "x_mitre_domains": [ @@ -1599,7 +1573,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1133" + "T1078.004" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1610,24 +1584,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Delete Kubernetes events", - "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", + "name": "Access Kubernetes API server", + "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", - "external_id": "MS-TA9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", + "external_id": "MS-TA9029" } ], "x_mitre_domains": [ @@ -1635,7 +1609,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1646,32 +1620,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Writable hostPath mount", - "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", + "modified": "2022-10-31T06:43:11.000Z", + "name": "Exposed sensitive interfaces", + "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "initial-access" }, { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", - "external_id": "MS-TA9013" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", + "external_id": "MS-TA9005" } ], "x_mitre_domains": [ @@ -1679,7 +1649,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1611" + "T1133" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1690,24 +1660,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Mount service principal", - "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Resource hijacking", + "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "credential-access" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", - "external_id": "MS-TA9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", + "external_id": "MS-TA9039" } ], "x_mitre_domains": [ @@ -1715,7 +1685,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.001" + "T1496" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1726,24 +1696,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application exploit (RCE)", - "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "List Kubernetes secrets", + "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", - "external_id": "MS-TA9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", + "external_id": "MS-TA9025" } ], "x_mitre_domains": [ @@ -1751,7 +1721,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1190" + "T1552.007" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1762,13 +1732,17 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "List Kubernetes secrets", - "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", + "name": "Malicious admission controller", + "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", "kill_chain_phases": [ + { + "kill_chain_name": "tmfk", + "phase_name": "persistence" + }, { "kill_chain_name": "tmfk", "phase_name": "credential-access" @@ -1778,8 +1752,8 @@ "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", - "external_id": "MS-TA9025" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", + "external_id": "MS-TA9015" } ], "x_mitre_domains": [ @@ -1787,7 +1761,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.007" + "T1546" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1798,24 +1772,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "ARP poisoning and IP spoofing", - "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Connect from proxy server", + "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", - "external_id": "MS-TA9036" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", + "external_id": "MS-TA9024" } ], "x_mitre_domains": [ @@ -1823,7 +1797,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1090" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1834,24 +1808,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Access Kubelet API", - "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Compromised image In registry", + "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", - "external_id": "MS-TA9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", + "external_id": "MS-TA9002" } ], "x_mitre_domains": [ @@ -1859,7 +1833,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1195.002", + "T1525" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1870,24 +1845,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Kubeconfig file", - "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "SSH server running inside container", + "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", - "external_id": "MS-TA9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", + "external_id": "MS-TA9010" } ], "x_mitre_domains": [ @@ -1903,32 +1878,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T18:11:12.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Container service account", - "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Privileged container", + "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "persistence" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", - "external_id": "MS-TA9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", + "external_id": "MS-TA9018" } ], "x_mitre_domains": [ @@ -1936,7 +1903,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1528" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1947,24 +1914,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Exec into container", - "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Cluster-admin binding", + "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", - "external_id": "MS-TA9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", + "external_id": "MS-TA9019" } ], "x_mitre_domains": [ @@ -1972,7 +1939,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1609" + "T1078.003" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1983,24 +1950,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Network mapping", - "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "New container", + "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", - "external_id": "MS-TA9031" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", + "external_id": "MS-TA9008" } ], "x_mitre_domains": [ @@ -2008,7 +1975,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1046" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2019,24 +1986,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Instance Metadata API", - "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Cluster internal networking", + "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", - "external_id": "MS-TA9033" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", + "external_id": "MS-TA9034" } ], "x_mitre_domains": [ @@ -2044,7 +2011,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1210" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2055,33 +2022,30 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", + "created": "2022-10-03T08:10:16.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Resource hijacking", - "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", + "name": "Static pods", + "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "impact" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", - "external_id": "MS-TA9039" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", + "external_id": "MS-TA9017" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1496" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2091,24 +2055,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Compromised image In registry", - "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Instance Metadata API", + "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", - "external_id": "MS-TA9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", + "external_id": "MS-TA9033" } ], "x_mitre_domains": [ @@ -2116,8 +2080,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1195.002", - "T1525" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2128,12 +2091,12 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Using cloud credentials", - "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Kubeconfig file", + "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", @@ -2144,17 +2107,14 @@ "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", - "external_id": "MS-TA9001" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", + "external_id": "MS-TA9003" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1078.004" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2164,30 +2124,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-03T08:10:16.000Z", + "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Static pods", - "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", + "name": "Delete Kubernetes events", + "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", - "external_id": "MS-TA9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", + "external_id": "MS-TA9022" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1070" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2197,24 +2160,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "CoreDNS poisoning", - "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Network mapping", + "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", - "external_id": "MS-TA9035" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", + "external_id": "MS-TA9031" } ], "x_mitre_domains": [ @@ -2222,7 +2185,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1046" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2233,24 +2196,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Pod or container name similarity", - "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Sidecar injection", + "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", - "external_id": "MS-TA9023" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", + "external_id": "MS-TA9011" } ], "x_mitre_domains": [ @@ -2258,7 +2221,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1036.005" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2269,24 +2232,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Connect from proxy server", - "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "ARP poisoning and IP spoofing", + "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", - "external_id": "MS-TA9024" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", + "external_id": "MS-TA9036" } ], "x_mitre_domains": [ @@ -2294,7 +2257,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1090" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2305,28 +2268,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Malicious admission controller", - "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", + "name": "Application vulnerability", + "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "credential-access" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", - "external_id": "MS-TA9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", + "external_id": "MS-TA9004" } ], "x_mitre_domains": [ @@ -2334,7 +2293,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1546" + "T1190" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2345,24 +2304,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application vulnerability", - "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "Application exploit (RCE)", + "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", - "external_id": "MS-TA9004" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", + "external_id": "MS-TA9009" } ], "x_mitre_domains": [ @@ -2381,24 +2340,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Cluster internal networking", - "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", + "name": "Exec into container", + "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", - "external_id": "MS-TA9034" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", + "external_id": "MS-TA9006" } ], "x_mitre_domains": [ @@ -2406,7 +2365,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1210" + "T1609" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2417,24 +2376,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Backdoor container", - "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Bash or cmd inside container", + "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", - "external_id": "MS-TA9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", + "external_id": "MS-TA9007" } ], "x_mitre_domains": [ @@ -2442,7 +2401,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1543" + "T1059" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2453,24 +2412,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Images from a private registry", - "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", + "name": "Denial of service", + "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "collection" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", - "external_id": "MS-TA9037" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", + "external_id": "MS-TA9040" } ], "x_mitre_domains": [ @@ -2478,7 +2437,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1530" + "T1498", + "T1499" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2487,100 +2447,72 @@ "x_mitre_version": "1.0" }, { - "type": "course-of-action", + "type": "attack-pattern", "spec_version": "2.1", - "id": "course-of-action--ac59938a-311a-4b1d-ab0d-ca2d475e284c", - "created": "2024-05-08T15:22:56.105508Z", - "modified": "2024-05-08T15:22:56.105508Z", - "name": "Restrict the usage of unauthenticated APIs in the cluster", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", - "external_references": [ + "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Application credentials in configuration files", + "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "kill_chain_phases": [ { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", - "external_id": "MS-M9021" + "kill_chain_name": "tmfk", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "tmfk", + "phase_name": "lateral-movement" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--684df523-a6e2-4963-b89c-12e3c6a59b77", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.105747Z", - "modified": "2024-05-08T15:22:56.105747Z", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ac59938a-311a-4b1d-ab0d-ca2d475e284c", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "tmfk" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--e1617893-3f7b-4be8-ad56-893bfa3759cd", - "created": "2024-05-08T15:22:56.107717Z", - "modified": "2024-05-08T15:22:56.107717Z", - "name": "Use CNIs that are not prone to ARP poisoning", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", + "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", - "external_id": "MS-M9028" + "source_name": "tmfk", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", + "external_id": "MS-TA9027" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a505b3a7-d08a-4407-85a4-3cb849dd80c4", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.107829Z", - "modified": "2024-05-08T15:22:56.107829Z", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", - "relationship_type": "mitigates", - "source_ref": "course-of-action--e1617893-3f7b-4be8-ad56-893bfa3759cd", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "x_mitre_attack_spec_version": "2.1.0", + ], "x_mitre_domains": [ "tmfk" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1552" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Kubernetes" + ], + "x_mitre_version": "1.0" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "created": "2024-05-08T15:22:56.110187Z", - "modified": "2024-05-08T15:22:56.110187Z", - "name": "Allocate specific identities to pods", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", + "id": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "created": "2024-05-15T03:39:49.593404Z", + "modified": "2024-05-15T03:39:49.593404Z", + "name": "Ensure that pods meet defined Pod Security Standards", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", - "external_id": "MS-M9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", + "external_id": "MS-M9017" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--dddf5766-1f08-477d-bbde-0edb594df29f", + "id": "relationship--1cee926a-5ce2-4ac5-941a-de6484007cc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.110305Z", - "modified": "2024-05-08T15:22:56.110305Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2591,14 +2523,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bd30de10-b0a9-4286-a31d-7c1cbd369f96", + "id": "relationship--2d6ddaf0-a928-43a2-a610-9bf62c1ed0a4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.110386Z", - "modified": "2024-05-08T15:22:56.110386Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", + "source_ref": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2609,30 +2541,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0e1a91ca-6129-4b7e-9b05-1d3004500999", - "created": "2024-05-08T15:22:56.112317Z", - "modified": "2024-05-08T15:22:56.112317Z", - "name": "Avoid using plain text credentials", - "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "id": "course-of-action--520d4254-ebd3-49e1-984f-dcf2ace87a9e", + "created": "2024-05-15T03:39:49.632956Z", + "modified": "2024-05-15T03:39:49.632956Z", + "name": "Implement data backup strategy", + "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", - "external_id": "MS-M9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", + "external_id": "MS-M9031" } + ], + "x_mitre_ids": [ + "M1053" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c38f19cf-a229-47ab-87b1-3b3473b023db", + "id": "relationship--f8705584-7dfe-4e53-87ce-8e4e0c99cbc0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.112428Z", - "modified": "2024-05-08T15:22:56.112428Z", - "description": "Avoid using plain text credentials in configuration files", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Take and store data backups from pod mounted volumes for critical workloads", "relationship_type": "mitigates", - "source_ref": "course-of-action--0e1a91ca-6129-4b7e-9b05-1d3004500999", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--520d4254-ebd3-49e1-984f-dcf2ace87a9e", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2643,30 +2578,48 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--c1159ee6-af84-4a56-a3fd-57359b498f9e", - "created": "2024-05-08T15:22:56.114624Z", - "modified": "2024-05-08T15:22:56.114624Z", - "name": "Enable Just In Time access to API server", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "id": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "created": "2024-05-15T03:39:49.656588Z", + "modified": "2024-05-15T03:39:49.656588Z", + "name": "Restrict exec commands on pods", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", - "external_id": "MS-M9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", + "external_id": "MS-M9010" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f339094b-0181-402c-b8b1-dc0abecc1376", + "id": "relationship--f3767923-01f7-4810-9ba1-9cc0032da723", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.114727Z", - "modified": "2024-05-08T15:22:56.114727Z", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--c1159ee6-af84-4a56-a3fd-57359b498f9e", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "tmfk" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--997ff777-3194-44ff-98c2-52918448ea32", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", + "relationship_type": "mitigates", + "source_ref": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2677,9 +2630,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--79053c9f-34ea-444f-8e97-827c60881e51", - "created": "2024-05-08T15:22:56.116769Z", - "modified": "2024-05-08T15:22:56.116769Z", + "id": "course-of-action--d19bd228-4302-4497-b3d5-65fe23c217e1", + "created": "2024-05-15T03:39:49.692338Z", + "modified": "2024-05-15T03:39:49.692338Z", "name": "Restrict access to etcd", "description": "Access to etcd should be limited to the Kubernetes control plane only. Depending on your configuration, you should attempt to use etcd over TLS. This mitigation is relevant only to non-managed Kubernetes environment, as access to etcd in cloud managed clusters is already restricted.", "external_references": [ @@ -2696,13 +2649,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d4dd453f-66ce-42f0-816e-bdad2c1dd18e", + "id": "relationship--52acb074-9e6c-462b-9f68-b2daead4febd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.116875Z", - "modified": "2024-05-08T15:22:56.116875Z", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Access to etcd should be limited to the Kubernetes control plane only", "relationship_type": "mitigates", - "source_ref": "course-of-action--79053c9f-34ea-444f-8e97-827c60881e51", + "source_ref": "course-of-action--d19bd228-4302-4497-b3d5-65fe23c217e1", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2714,48 +2667,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "created": "2024-05-08T15:22:56.119383Z", - "modified": "2024-05-08T15:22:56.119383Z", - "name": "Ensure that pods meet defined Pod Security Standards", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", + "id": "course-of-action--c3ebbc7f-5b27-4a32-9612-81af964e1fa6", + "created": "2024-05-15T03:39:49.713824Z", + "modified": "2024-05-15T03:39:49.713824Z", + "name": "Use CNIs that are not prone to ARP poisoning", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", - "external_id": "MS-M9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", + "external_id": "MS-M9028" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0c551a23-0a7b-41de-bffd-a19e4ecee79e", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.119488Z", - "modified": "2024-05-08T15:22:56.119488Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", - "relationship_type": "mitigates", - "source_ref": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "tmfk" - ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--0b914519-e08f-4e56-9a68-a9cebb1c1d4a", + "id": "relationship--05af345e-2386-45e6-9b5f-b42a7e3f963b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.119567Z", - "modified": "2024-05-08T15:22:56.119567Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-25T08:08:39.000Z", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", "relationship_type": "mitigates", - "source_ref": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--c3ebbc7f-5b27-4a32-9612-81af964e1fa6", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2766,32 +2701,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "created": "2024-05-08T15:22:56.122732Z", - "modified": "2024-05-08T15:22:56.122732Z", - "name": "Restricting cloud metadata API access", - "description": "", + "id": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", + "created": "2024-05-15T03:39:49.738357Z", + "modified": "2024-05-15T03:39:49.738357Z", + "name": "Allocate specific identities to pods", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", - "external_id": "MS-M9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", + "external_id": "MS-M9019" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7bbe05c2-60af-4088-ace6-94f4f071df19", + "id": "relationship--21b8bc42-4f8b-48d4-bd6a-6d167c6bc3cb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.122846Z", - "modified": "2024-05-08T15:22:56.122846Z", - "description": "", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", + "source_ref": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2803,13 +2735,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2d8245fd-ef52-41a9-a4ae-5aaa3921aefe", + "id": "relationship--e87cab35-468b-46bc-a7ed-7378ec79c528", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.122926Z", - "modified": "2024-05-08T15:22:56.122926Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", + "source_ref": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2818,17 +2750,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--68fb6dea-250a-4980-b700-68e3d476fc53", + "created": "2024-05-15T03:39:49.775718Z", + "modified": "2024-05-15T03:39:49.775718Z", + "name": "Use NodeRestriction admission controller", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", + "external_id": "MS-M9027" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--45d6494c-98b2-4720-9f60-0fd0f7c98726", + "id": "relationship--127a742e-4abb-4be2-8647-d6db0955fed0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.123003Z", - "modified": "2024-05-08T15:22:56.123003Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "source_ref": "course-of-action--68fb6dea-250a-4980-b700-68e3d476fc53", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2836,17 +2784,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--f1c844f3-f0df-45c8-8977-1e83897a490f", + "created": "2024-05-15T03:39:49.794023Z", + "modified": "2024-05-15T03:39:49.794023Z", + "name": "Network intrusion prevention", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", + "external_id": "MS-M9007" + } + ], + "x_mitre_ids": [ + "M1031" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--90f62dcd-d7e7-44e3-b445-5a642f5de126", + "id": "relationship--1d3d2200-a69d-492a-8e8e-da998e38b52b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.123072Z", - "modified": "2024-05-08T15:22:56.123072Z", - "description": "", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--f1c844f3-f0df-45c8-8977-1e83897a490f", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2857,33 +2824,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "created": "2024-05-08T15:22:56.15468Z", - "modified": "2024-05-08T15:22:56.15468Z", - "name": "Adhere to least-privilege principle", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "id": "course-of-action--c78016d9-1088-4355-9c07-15afa17c30ba", + "created": "2024-05-15T03:39:49.806472Z", + "modified": "2024-05-15T03:39:49.806472Z", + "name": "Disable service account auto mount", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", - "external_id": "MS-M9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", + "external_id": "MS-M9025" } - ], - "x_mitre_ids": [ - "M1018" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b44efe83-3469-4a9c-b8c6-53b874056843", + "id": "relationship--7f80fc51-faa5-449a-8795-77b1d7d38249", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.15482Z", - "modified": "2024-05-08T15:22:56.15482Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--c78016d9-1088-4355-9c07-15afa17c30ba", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2891,16 +2855,32 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--bd8a1f81-5681-4b09-86a3-60e4a1339332", + "created": "2024-05-15T03:39:49.822823Z", + "modified": "2024-05-15T03:39:49.822823Z", + "name": "Enable Just In Time access to API server", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", + "external_id": "MS-M9006" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--23143241-f6d3-42a0-9469-53edf84f0e0f", + "id": "relationship--53dd1c67-71fc-4966-80b4-e77583e2ef8e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.154905Z", - "modified": "2024-05-08T15:22:56.154905Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-27T17:00:14.000Z", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--bd8a1f81-5681-4b09-86a3-60e4a1339332", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2909,16 +2889,35 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "created": "2024-05-15T03:39:49.856437Z", + "modified": "2024-05-15T03:39:49.856437Z", + "name": "Restrict over permissive containers", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", + "external_id": "MS-M9013" + } + ], + "x_mitre_ids": [ + "M1038" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--848b4d5c-90d1-4482-b251-adcc7cc17891", + "id": "relationship--9372f1ae-40cc-4952-bbcf-f22b89a372bd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.154975Z", - "modified": "2024-05-08T15:22:56.154975Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2930,13 +2929,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--72c5ef65-0a46-48f0-90bd-7fa8eb3b1939", + "id": "relationship--15ac3b60-3bd6-4381-ad36-9160702e746b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.15504Z", - "modified": "2024-05-08T15:22:56.15504Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2948,13 +2947,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5ba9c263-a863-4192-beed-f1e9ed42674f", + "id": "relationship--bf5f4a2f-14dc-409c-b93c-364111d0dbc6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155104Z", - "modified": "2024-05-08T15:22:56.155104Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2966,14 +2965,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d1b623d5-b933-441d-8894-22bd5dd44117", + "id": "relationship--e2954083-f170-4032-9f0a-3a13f8d55b7c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155171Z", - "modified": "2024-05-08T15:22:56.155171Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2984,14 +2983,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--efb0998c-99dd-44a1-944b-da25cbb9bea2", + "id": "relationship--d99027db-b6c3-4e63-bf38-8c2c32ee4bd6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155238Z", - "modified": "2024-05-08T15:22:56.155238Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3002,14 +3001,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--cf9f87de-2a3b-46fc-84ef-4e925923b5e4", + "id": "relationship--23b37f44-775f-4c0e-b631-b1f423a6a60f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155302Z", - "modified": "2024-05-08T15:22:56.155302Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3020,13 +3019,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2d46b6e7-1230-4faf-a8ad-e12235ee7ea4", + "id": "relationship--7b499331-659d-4d8a-849f-a79df719852e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155365Z", - "modified": "2024-05-08T15:22:56.155365Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3038,14 +3037,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--72a148ee-50f9-4e3b-a937-3c08256b1ed7", + "id": "relationship--4861b510-27a7-413a-91a6-80952fb4f1f2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155432Z", - "modified": "2024-05-08T15:22:56.155432Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3056,14 +3055,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bd7dbd2b-a07e-4bf9-a4c8-beb6f5c2dd50", + "id": "relationship--a4bad130-89bb-4d8b-b2cb-a102501a7806", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155493Z", - "modified": "2024-05-08T15:22:56.155493Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3071,17 +3070,37 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "created": "2024-05-15T03:39:49.989843Z", + "modified": "2024-05-15T03:39:49.989843Z", + "name": "Restrict container runtime using LSM", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", + "external_id": "MS-M9011" + } + ], + "x_mitre_ids": [ + "M1038", + "M1040" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7478fe08-c216-44bf-bede-f13f941b7f29", + "id": "relationship--c2bf159f-3b91-4a6e-8604-1e818d992b4e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155554Z", - "modified": "2024-05-08T15:22:56.155554Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3092,14 +3111,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--78717954-c8b0-4282-81cc-2c85a049a449", + "id": "relationship--4d3608f4-edbb-406d-a903-7f4f1ecad5db", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155617Z", - "modified": "2024-05-08T15:22:56.155617Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3110,14 +3129,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--844c1b1d-3cee-4c6b-a27f-1c1733704dfa", + "id": "relationship--17ebe0b8-ba9b-4a92-9093-dbda15d80621", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155679Z", - "modified": "2024-05-08T15:22:56.155679Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3128,14 +3147,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f00a996f-9c64-4ef1-8c93-0e9f5d93c836", + "id": "relationship--aa539a34-7282-4f93-a201-880603aa7e5c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.15574Z", - "modified": "2024-05-08T15:22:56.15574Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3146,14 +3165,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--68813965-9188-431b-918d-fb91ca2f1f06", + "id": "relationship--bc844fa6-71ac-4b9d-a831-dc67509f5af1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.1558Z", - "modified": "2024-05-08T15:22:56.1558Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3164,14 +3183,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--32f00bea-6a7d-4c35-9fce-42afca7ede41", + "id": "relationship--ae4cd2da-2261-4ec5-be1f-74e48e3d12c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155861Z", - "modified": "2024-05-08T15:22:56.155861Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3182,14 +3201,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5f338d5a-3d04-46a2-8baa-a29a3d60567b", + "id": "relationship--e57186e7-9fee-4ab1-b016-d1451f52fea0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155922Z", - "modified": "2024-05-08T15:22:56.155922Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3197,17 +3216,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--e2750236-3a09-4c64-97f4-8105d08d773c", + "created": "2024-05-15T03:39:50.110727Z", + "modified": "2024-05-15T03:39:50.110727Z", + "name": "Restrict the usage of unauthenticated APIs in the cluster", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", + "external_id": "MS-M9021" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3695fbaa-c940-4482-8d6f-1857521374f4", + "id": "relationship--f379373c-8822-4c48-8911-210df5418bb5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155983Z", - "modified": "2024-05-08T15:22:56.155983Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--e2750236-3a09-4c64-97f4-8105d08d773c", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3218,33 +3253,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "created": "2024-05-08T15:22:56.159781Z", - "modified": "2024-05-08T15:22:56.159781Z", - "name": "Network segmentation", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", + "id": "course-of-action--51d41dfb-5f49-477a-8377-b0e534432991", + "created": "2024-05-15T03:39:50.135881Z", + "modified": "2024-05-15T03:39:50.135881Z", + "name": "Avoid running management interface on containers", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", - "external_id": "MS-M9014" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", + "external_id": "MS-M9015" } ], "x_mitre_ids": [ - "M1030" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--591612f8-a5a7-4161-861b-64693ee49557", + "id": "relationship--260fd263-0f63-486c-85f2-73d603efc5b8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.159973Z", - "modified": "2024-05-08T15:22:56.159973Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--51d41dfb-5f49-477a-8377-b0e534432991", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3252,17 +3287,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--a09ce953-17ee-47bb-b2d0-9338767d0d4d", + "created": "2024-05-15T03:39:50.165211Z", + "modified": "2024-05-15T03:39:50.165211Z", + "name": "Avoid using plain text credentials", + "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", + "external_id": "MS-M9026" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2adc1cb3-3614-410c-b549-1c81de3ea1b2", + "id": "relationship--f43769b5-3a95-4bee-a453-bb8665c264d7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160056Z", - "modified": "2024-05-08T15:22:56.160056Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid using plain text credentials in configuration files", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--a09ce953-17ee-47bb-b2d0-9338767d0d4d", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3270,17 +3321,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--925b3e24-eb25-4c68-b3fe-2165d14d96a6", + "created": "2024-05-15T03:39:50.191364Z", + "modified": "2024-05-15T03:39:50.191364Z", + "name": "Limit access to services over network", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", + "external_id": "MS-M9008" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--30d2e91b-ae8e-4886-a605-d61f12904201", + "id": "relationship--b444a265-fde8-4492-8318-3899451a74d6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160125Z", - "modified": "2024-05-08T15:22:56.160125Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--925b3e24-eb25-4c68-b3fe-2165d14d96a6", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3288,17 +3358,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "created": "2024-05-15T03:39:50.211723Z", + "modified": "2024-05-15T03:39:50.211723Z", + "name": "Collect logs to remote data storage", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", + "external_id": "MS-M9020" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c3bb518a-5b52-4b31-b78f-f5fcc949736c", + "id": "relationship--218b9d58-20b0-4ce4-844e-0118e8d99774", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160193Z", - "modified": "2024-05-08T15:22:56.160193Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3309,14 +3398,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ee884f9c-ff11-41ae-88e0-3b01b047640c", + "id": "relationship--e4ef9577-a365-410d-8364-d0bb066f42bf", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160265Z", - "modified": "2024-05-08T15:22:56.160265Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "source_ref": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3324,17 +3413,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "created": "2024-05-15T03:39:50.25828Z", + "modified": "2024-05-15T03:39:50.25828Z", + "name": "Restricting cloud metadata API access", + "description": "", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", + "external_id": "MS-M9018" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1dd70791-0859-4bd6-97de-c0db2e34beb2", + "id": "relationship--c5ee99c3-a3f5-48c3-b3cc-e016aaad30f3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160332Z", - "modified": "2024-05-08T15:22:56.160332Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3345,14 +3453,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--23432974-c2b0-4a4f-a61a-464032513031", + "id": "relationship--fb36acc7-8b7c-4be6-a6dd-58ef99e8a4d1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160398Z", - "modified": "2024-05-08T15:22:56.160398Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3360,37 +3468,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "created": "2024-05-08T15:22:56.164478Z", - "modified": "2024-05-08T15:22:56.164478Z", - "name": "Restrict container runtime using LSM", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", - "external_id": "MS-M9011" - } - ], - "x_mitre_ids": [ - "M1038", - "M1040" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9084a585-125b-48a8-b5c5-253fe50cd45f", + "id": "relationship--51aea02b-f08b-4911-a7b3-3c615012e191", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164583Z", - "modified": "2024-05-08T15:22:56.164583Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3401,14 +3489,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--eba9530a-3b27-4aac-9fb3-af44b91370ea", + "id": "relationship--88e2fc55-9489-4b4e-adb2-fd4c703be960", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.16466Z", - "modified": "2024-05-08T15:22:56.16466Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3416,17 +3504,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "created": "2024-05-15T03:39:50.34653Z", + "modified": "2024-05-15T03:39:50.34653Z", + "name": "Restrict access to the API server using IP firewall", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", + "external_id": "MS-M9002" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7fce2c6d-7b4f-4a73-a763-5eb8c1ce476b", + "id": "relationship--395815eb-8041-4873-9b8b-8d2bbbe09e9b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164731Z", - "modified": "2024-05-08T15:22:56.164731Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3437,14 +3544,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0ccf0337-e389-4e82-86c7-c3f3d6d715d8", + "id": "relationship--d4fb6853-ce8f-4ad3-891c-75c5f5185be9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164799Z", - "modified": "2024-05-08T15:22:56.164799Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3455,14 +3562,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--efec075f-2e2a-4a46-8c3b-87f79852ac4b", + "id": "relationship--575c4dfa-84f1-4f4b-97c0-562c4be5ab79", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164866Z", - "modified": "2024-05-08T15:22:56.164866Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3473,14 +3580,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a13556e9-ad9f-45a9-a3f1-af748f1fb09e", + "id": "relationship--548c7c7c-30f8-454f-bc8a-162262415b42", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164933Z", - "modified": "2024-05-08T15:22:56.164933Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3491,13 +3598,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b9124650-895d-4271-9829-08710a1c3377", + "id": "relationship--f21d594d-a2c4-465f-9363-cb6f8cd513d0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.165Z", - "modified": "2024-05-08T15:22:56.165Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3509,30 +3616,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--a1b1f3b9-26b7-47cf-b212-79fbf0f75fde", - "created": "2024-05-08T15:22:56.166862Z", - "modified": "2024-05-08T15:22:56.166862Z", - "name": "Set requests and limits for containers", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", + "id": "course-of-action--911f0f2c-0be0-40bb-95e3-f6b9c200a9eb", + "created": "2024-05-15T03:39:50.432865Z", + "modified": "2024-05-15T03:39:50.432865Z", + "name": "Use cloud storage provider", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", - "external_id": "MS-M9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", + "external_id": "MS-M9030" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2f2ad783-e5f7-49fc-948b-61f03ce598b5", + "id": "relationship--052962f9-6bac-4e77-be11-b0a77cf325f8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.166947Z", - "modified": "2024-05-08T15:22:56.166947Z", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", "relationship_type": "mitigates", - "source_ref": "course-of-action--a1b1f3b9-26b7-47cf-b212-79fbf0f75fde", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--911f0f2c-0be0-40bb-95e3-f6b9c200a9eb", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3543,30 +3650,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "created": "2024-05-08T15:22:56.169861Z", - "modified": "2024-05-08T15:22:56.169861Z", - "name": "Require strong authentication to services", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", + "id": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "created": "2024-05-15T03:39:50.450136Z", + "modified": "2024-05-15T03:39:50.450136Z", + "name": "Restrict file and directory permissions", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", - "external_id": "MS-M9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", + "external_id": "MS-M9016" } + ], + "x_mitre_ids": [ + "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--480263be-2153-4749-9148-70164682e46d", + "id": "relationship--5296d9e7-1a11-4bca-8eeb-f8449e39a4d6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.16995Z", - "modified": "2024-05-08T15:22:56.16995Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3577,14 +3687,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f63fa307-e4f1-4d4b-9135-486454913410", + "id": "relationship--ab838d60-4c41-4293-b77c-09e4a4a9cd62", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.17002Z", - "modified": "2024-05-08T15:22:56.17002Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T12:26:46.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3595,14 +3705,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--37386587-467b-4334-877a-57a33828a55e", + "id": "relationship--cedd7e41-7f86-4ae8-b52e-c18069ed209e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.170088Z", - "modified": "2024-05-08T15:22:56.170088Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3613,33 +3723,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "created": "2024-05-08T15:22:56.172279Z", - "modified": "2024-05-08T15:22:56.172279Z", - "name": "Use managed secret store", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "id": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "created": "2024-05-15T03:39:50.500751Z", + "modified": "2024-05-15T03:39:50.500751Z", + "name": "Remove tools from container images", + "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", - "external_id": "MS-M9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", + "external_id": "MS-M9012" } ], "x_mitre_ids": [ - "M1029" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f74b5496-c7e5-4aa7-be3a-0d16d161bda1", + "id": "relationship--120b8e99-ff14-49c3-8d60-3afb877a2705", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.172377Z", - "modified": "2024-05-08T15:22:56.172377Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3650,14 +3760,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bc614ef9-78dd-40f2-ab07-c7c9e12b963f", + "id": "relationship--be9f0971-16e6-4067-b560-085cae7145f0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.172455Z", - "modified": "2024-05-08T15:22:56.172455Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3668,30 +3778,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--b2f07c19-8b55-48bf-9542-2b6fc552e8ef", - "created": "2024-05-08T15:22:56.174374Z", - "modified": "2024-05-08T15:22:56.174374Z", - "name": "Use cloud storage provider", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", + "id": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "created": "2024-05-15T03:39:50.549988Z", + "modified": "2024-05-15T03:39:50.549988Z", + "name": "Network segmentation", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", - "external_id": "MS-M9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", + "external_id": "MS-M9014" } + ], + "x_mitre_ids": [ + "M1030" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d077a740-aa3c-438f-9b15-6293a1da5bcf", + "id": "relationship--fc44ddb8-eb0c-4d96-abb0-547f3aad03bb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.174484Z", - "modified": "2024-05-08T15:22:56.174484Z", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--b2f07c19-8b55-48bf-9542-2b6fc552e8ef", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3699,36 +3812,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--e97e7d91-2157-455c-8735-e8b923c89674", - "created": "2024-05-08T15:22:56.176356Z", - "modified": "2024-05-08T15:22:56.176356Z", - "name": "Implement data backup strategy", - "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", - "external_id": "MS-M9031" - } - ], - "x_mitre_ids": [ - "M1053" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d8a67cab-2aec-4885-b4b5-65caed8d3bc1", + "id": "relationship--dc579813-666e-4365-851b-357b41ee17fc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.176459Z", - "modified": "2024-05-08T15:22:56.176459Z", - "description": "Take and store data backups from pod mounted volumes for critical workloads", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--e97e7d91-2157-455c-8735-e8b923c89674", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3736,36 +3830,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--2ac38e43-d1e4-42a7-9200-3c66b2a14f2a", - "created": "2024-05-08T15:22:56.178317Z", - "modified": "2024-05-08T15:22:56.178317Z", - "name": "Multi-factor authentication", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", - "external_id": "MS-M9001" - } - ], - "x_mitre_ids": [ - "M1032" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1490c81e-60bf-4e7a-91de-082c18d8c07b", + "id": "relationship--0ecd2aca-11a3-4f9f-9bbd-ce78673bdd11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.178441Z", - "modified": "2024-05-08T15:22:56.178441Z", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--2ac38e43-d1e4-42a7-9200-3c66b2a14f2a", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3773,32 +3848,16 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--43c3ee3b-415b-42f4-9196-a75c08ef951a", - "created": "2024-05-08T15:22:56.180191Z", - "modified": "2024-05-08T15:22:56.180191Z", - "name": "Use NodeRestriction admission controller", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", - "external_id": "MS-M9027" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--90678f01-47c5-4838-98e7-d01eebfa0d28", + "id": "relationship--c59e7256-0fa5-478e-8597-e4116c67d234", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.180298Z", - "modified": "2024-05-08T15:22:56.180298Z", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--43c3ee3b-415b-42f4-9196-a75c08ef951a", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3808,32 +3867,34 @@ "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { - "type": "course-of-action", + "type": "relationship", "spec_version": "2.1", - "id": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "created": "2024-05-08T15:22:56.182403Z", - "modified": "2024-05-08T15:22:56.182403Z", - "name": "Restrict exec commands on pods", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", - "external_id": "MS-M9010" - } - ] + "id": "relationship--59fe1010-17ca-46e4-86b4-82a6507c0274", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "relationship_type": "mitigates", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "tmfk" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--cd35cbd7-4b93-4b58-a07e-365899f9f6e3", + "id": "relationship--74740cef-789c-419b-8ef4-be1b91411f77", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.182509Z", - "modified": "2024-05-08T15:22:56.182509Z", - "description": "", + "created": "2022-10-31T06:43:11.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3844,14 +3905,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d0a52dac-8d12-4cea-8907-3214a272ce87", + "id": "relationship--33e1bea6-768f-44bf-9fcb-8d1e3907ef2a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.182588Z", - "modified": "2024-05-08T15:22:56.182588Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3862,30 +3923,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--12809894-059a-4bb9-a7c3-37c64de36bd5", - "created": "2024-05-08T15:22:56.184338Z", - "modified": "2024-05-08T15:22:56.184338Z", - "name": "Avoid using web-hosted manifest for Kubelet", - "description": "", + "id": "course-of-action--1e89ed15-2cc3-4559-b971-727257bb3468", + "created": "2024-05-15T03:39:50.684929Z", + "modified": "2024-05-15T03:39:50.684929Z", + "name": "Multi-factor authentication", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", - "external_id": "MS-M9032" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", + "external_id": "MS-M9001" } + ], + "x_mitre_ids": [ + "M1032" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b732d3c6-24e8-47ec-b8ba-3824fad3561d", + "id": "relationship--ca42a472-3bf3-4e21-ad6f-b30c421c39a3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.184502Z", - "modified": "2024-05-08T15:22:56.184502Z", - "description": "", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", "relationship_type": "mitigates", - "source_ref": "course-of-action--12809894-059a-4bb9-a7c3-37c64de36bd5", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--1e89ed15-2cc3-4559-b971-727257bb3468", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3896,33 +3960,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "created": "2024-05-08T15:22:56.187533Z", - "modified": "2024-05-08T15:22:56.187533Z", - "name": "Restrict access to the API server using IP firewall", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "id": "course-of-action--88846ecd-3066-403b-ae1e-14990aec7b89", + "created": "2024-05-15T03:39:50.708572Z", + "modified": "2024-05-15T03:39:50.708572Z", + "name": "Set requests and limits for containers", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", - "external_id": "MS-M9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", + "external_id": "MS-M9029" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1d4b575d-5a95-4894-9d35-3b1abcb99dbd", + "id": "relationship--a8a8174f-cace-4014-8ba5-19ac6405fd6d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187631Z", - "modified": "2024-05-08T15:22:56.187631Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--88846ecd-3066-403b-ae1e-14990aec7b89", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3930,17 +3991,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "created": "2024-05-15T03:39:50.779693Z", + "modified": "2024-05-15T03:39:50.779693Z", + "name": "Adhere to least-privilege principle", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", + "external_id": "MS-M9003" + } + ], + "x_mitre_ids": [ + "M1018" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5b895b8e-f2fa-4f83-be17-09f47e8678b9", + "id": "relationship--6439eb96-2128-4a10-bc35-245772507eaa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187712Z", - "modified": "2024-05-08T15:22:56.187712Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3951,14 +4031,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--21c02ea0-80b1-43a6-bc0d-cec13a726e09", + "id": "relationship--0099590d-c613-4183-90ef-0677a5cee5e0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187782Z", - "modified": "2024-05-08T15:22:56.187782Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3969,14 +4049,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b8010747-c436-4478-ad8a-05aa0d650815", + "id": "relationship--c0a48420-db41-473c-a6c0-1e13a3d10186", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.18785Z", - "modified": "2024-05-08T15:22:56.18785Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3987,14 +4067,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ec5feb2f-3ba6-430c-8243-a362334423f6", + "id": "relationship--ffc80eef-fce9-4a9c-a6cc-64a06bd04c09", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187921Z", - "modified": "2024-05-08T15:22:56.187921Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4002,36 +4082,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--145627ab-4c2f-4817-9cc7-3541c4b2132d", - "created": "2024-05-08T15:22:56.190096Z", - "modified": "2024-05-08T15:22:56.190096Z", - "name": "Limit access to services over network", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", - "external_id": "MS-M9008" - } - ], - "x_mitre_ids": [ - "M1035" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2cdf3dab-2a3c-4a54-86f0-d2dac4ed5caa", + "id": "relationship--5e215619-4747-40ee-b7d8-cb99f43dcc02", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.190183Z", - "modified": "2024-05-08T15:22:56.190183Z", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--145627ab-4c2f-4817-9cc7-3541c4b2132d", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4039,36 +4100,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "created": "2024-05-08T15:22:56.194751Z", - "modified": "2024-05-08T15:22:56.194751Z", - "name": "Restrict over permissive containers", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", - "external_id": "MS-M9013" - } - ], - "x_mitre_ids": [ - "M1038" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a146eb92-2664-4266-bcca-296096759948", + "id": "relationship--eff8b137-592b-4e24-b9d0-84d0b4ecd36c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.194859Z", - "modified": "2024-05-08T15:22:56.194859Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4079,14 +4121,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--76f97393-3394-4fc6-96bc-720d3f801545", + "id": "relationship--2ee66121-66fb-4322-bf90-a304269cc9ca", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.194937Z", - "modified": "2024-05-08T15:22:56.194937Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4097,14 +4139,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--65c74fcc-0a2b-48f5-8140-d1724dbc0152", + "id": "relationship--439dbd19-7acb-4f32-ad8c-9cbdfd051ace", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195007Z", - "modified": "2024-05-08T15:22:56.195007Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4115,14 +4157,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a4297d46-5ef6-48ee-a7ec-9c81c2104efb", + "id": "relationship--8b515b19-c9dd-4ff8-a0c9-5e8a53b8704e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195074Z", - "modified": "2024-05-08T15:22:56.195074Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4133,14 +4175,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b455b577-b0a4-4b5e-b309-4399ffdb96d8", + "id": "relationship--177ce49d-d707-4a60-8758-3008ca687648", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195142Z", - "modified": "2024-05-08T15:22:56.195142Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4151,14 +4193,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a3c5cc70-8051-4ee7-9103-8577d26bb3de", + "id": "relationship--1ef5a845-4abd-4dfa-a3fa-07614488bb92", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195207Z", - "modified": "2024-05-08T15:22:56.195207Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4169,14 +4211,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--81017d21-8a48-428c-8c20-7bedbb7c9274", + "id": "relationship--597c4e29-5e2b-413e-85b3-156207c18632", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195273Z", - "modified": "2024-05-08T15:22:56.195273Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4187,14 +4229,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ea7b2c95-feae-4263-8972-1153520e12bb", + "id": "relationship--a17ec211-c097-4b29-b6f3-cf70f2a40917", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195338Z", - "modified": "2024-05-08T15:22:56.195338Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4205,14 +4247,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d6a40a98-8a52-4531-9c32-a407d8c715dc", + "id": "relationship--6f44a207-12a9-4211-a943-ba64ae52a24f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195403Z", - "modified": "2024-05-08T15:22:56.195403Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4220,33 +4262,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--078074f8-e7ee-4480-adc4-319dd516eeca", - "created": "2024-05-08T15:22:56.197061Z", - "modified": "2024-05-08T15:22:56.197061Z", - "name": "Remove unused secrets from the cluster", - "description": "Remove unused secrets objects from the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", - "external_id": "MS-M9023" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4a74f882-fc51-4b69-9133-d4d2cdc8cba4", + "id": "relationship--0e71454a-a992-44ae-ae75-a355d6f04b0a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.197159Z", - "modified": "2024-05-08T15:22:56.197159Z", - "description": "Remove unused secrets objects from the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--078074f8-e7ee-4480-adc4-319dd516eeca", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4254,36 +4280,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "created": "2024-05-08T15:22:56.199422Z", - "modified": "2024-05-08T15:22:56.199422Z", - "name": "Collect logs to remote data storage", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", - "external_id": "MS-M9020" - } - ], - "x_mitre_ids": [ - "M1029" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9daf3409-b091-43a4-93fe-00cfede88603", + "id": "relationship--29059bde-e9aa-49d6-afd6-d6aac181369f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.199528Z", - "modified": "2024-05-08T15:22:56.199528Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4294,14 +4301,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--971dbbb2-612c-4cab-b442-e50892920edd", + "id": "relationship--1cd92ebc-5be0-4b93-8067-f64d40a8eb37", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.199605Z", - "modified": "2024-05-08T15:22:56.199605Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4309,36 +4316,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--c17f9a3f-ef25-4c11-ae3a-37d33049134d", - "created": "2024-05-08T15:22:56.201611Z", - "modified": "2024-05-08T15:22:56.201611Z", - "name": "Network intrusion prevention", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", - "external_id": "MS-M9007" - } - ], - "x_mitre_ids": [ - "M1031" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--efdd2248-5844-4b83-8b88-ddc9f10e3311", + "id": "relationship--58d81031-aac2-416c-a191-703afb143397", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.201719Z", - "modified": "2024-05-08T15:22:56.201719Z", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--c17f9a3f-ef25-4c11-ae3a-37d33049134d", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4346,33 +4334,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--16b1618d-8f02-412b-8344-dcc66fafd08f", - "created": "2024-05-08T15:22:56.203489Z", - "modified": "2024-05-08T15:22:56.203489Z", - "name": "Disable service account auto mount", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", - "external_id": "MS-M9025" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9d5118f8-227f-4875-b9c1-d45ec317f7e8", + "id": "relationship--0bbe557c-9ac5-4349-bcd5-6ed0df52dfdd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.203589Z", - "modified": "2024-05-08T15:22:56.203589Z", - "description": "", + "created": "2022-10-26T13:06:11.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--16b1618d-8f02-412b-8344-dcc66fafd08f", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4383,9 +4355,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--2e0b0daa-c0e9-42c7-807e-6f3fd0872882", - "created": "2024-05-08T15:22:56.205377Z", - "modified": "2024-05-08T15:22:56.205377Z", + "id": "course-of-action--f67dcfd5-3ee8-4100-9d60-665aa3f98dc1", + "created": "2024-05-15T03:39:51.142006Z", + "modified": "2024-05-15T03:39:51.142006Z", "name": "Secure CI/CD environment", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.", "external_references": [ @@ -4399,13 +4371,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--516c362d-01e1-44df-9b7c-29f243f27a89", + "id": "relationship--fbe192dc-787b-45ae-90e8-cf184b867d6a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.205477Z", - "modified": "2024-05-08T15:22:56.205477Z", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content", "relationship_type": "mitigates", - "source_ref": "course-of-action--2e0b0daa-c0e9-42c7-807e-6f3fd0872882", + "source_ref": "course-of-action--f67dcfd5-3ee8-4100-9d60-665aa3f98dc1", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4417,33 +4389,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--3b86fb19-87fc-4765-8ae0-1230ce738c2a", - "created": "2024-05-08T15:22:56.207152Z", - "modified": "2024-05-08T15:22:56.207152Z", - "name": "Avoid running management interface on containers", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", + "id": "course-of-action--91b29f5f-3691-4f7f-a23a-b104a93fa10a", + "created": "2024-05-15T03:39:51.164002Z", + "modified": "2024-05-15T03:39:51.164002Z", + "name": "Avoid using web-hosted manifest for Kubelet", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", - "external_id": "MS-M9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", + "external_id": "MS-M9032" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--021a4287-68df-4d15-a53d-aca210ac5fba", + "id": "relationship--4790d8c7-e38d-4515-b52a-e3c67181d9f2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.207254Z", - "modified": "2024-05-08T15:22:56.207254Z", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--3b86fb19-87fc-4765-8ae0-1230ce738c2a", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--91b29f5f-3691-4f7f-a23a-b104a93fa10a", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4454,33 +4423,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "created": "2024-05-08T15:22:56.209345Z", - "modified": "2024-05-08T15:22:56.209345Z", - "name": "Remove tools from container images", - "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", + "id": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "created": "2024-05-15T03:39:51.196889Z", + "modified": "2024-05-15T03:39:51.196889Z", + "name": "Require strong authentication to services", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", - "external_id": "MS-M9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", + "external_id": "MS-M9009" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9cfdb87c-af40-45a3-ab41-108b2171cc7a", + "id": "relationship--57ca0b03-fe25-4502-bd10-9457f9018d6f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.209448Z", - "modified": "2024-05-08T15:22:56.209448Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4491,14 +4457,32 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4c8ed604-f737-4520-a091-dbeb148d9fc2", + "id": "relationship--94ccb16c-7a52-4145-a3b4-f7561e17494b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.209526Z", - "modified": "2024-05-08T15:22:56.209526Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "tmfk" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d3f0e11e-0329-4cab-aa8c-b4f7b09f472e", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "relationship_type": "mitigates", + "source_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4509,33 +4493,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "created": "2024-05-08T15:22:56.212461Z", - "modified": "2024-05-08T15:22:56.212461Z", - "name": "Restrict file and directory permissions", - "description": "", + "id": "course-of-action--0fbf6f7c-0e57-4deb-95c1-b7b35d6e0ef7", + "created": "2024-05-15T03:39:51.2552Z", + "modified": "2024-05-15T03:39:51.2552Z", + "name": "Remove unused secrets from the cluster", + "description": "Remove unused secrets objects from the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", - "external_id": "MS-M9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", + "external_id": "MS-M9023" } - ], - "x_mitre_ids": [ - "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bb9a35da-8778-4d5f-a5fe-9d71c531ed7e", + "id": "relationship--11a97dca-c8a3-437d-a1e0-e855232bd9c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.212566Z", - "modified": "2024-05-08T15:22:56.212566Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Remove unused secrets objects from the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--0fbf6f7c-0e57-4deb-95c1-b7b35d6e0ef7", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4543,17 +4524,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "created": "2024-05-15T03:39:51.280318Z", + "modified": "2024-05-15T03:39:51.280318Z", + "name": "Use managed secret store", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", + "external_id": "MS-M9022" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1858f521-084f-4965-a366-d7188de510e8", + "id": "relationship--566a170f-76c6-4a7e-8c22-d02c39def619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.212643Z", - "modified": "2024-05-08T15:22:56.212643Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4564,14 +4564,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--cce2028a-859d-4e6f-bfc1-4cc776ee1580", + "id": "relationship--3edc3696-1ecc-4493-b160-0eb35dbb153d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.212722Z", - "modified": "2024-05-08T15:22:56.212722Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4582,30 +4582,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", - "created": "2024-05-08T15:22:56.215558Z", - "modified": "2024-05-08T15:22:56.215558Z", - "name": "Gate images pushed to registries", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", + "id": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", + "created": "2024-05-15T03:39:51.325172Z", + "modified": "2024-05-15T03:39:51.325172Z", + "name": "Image assurance policy", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", - "external_id": "MS-M9005.002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", + "external_id": "MS-M9005" } ], "x_mitre_ids": [ "M1016", "M1045" - ], - "x_mitre_parent_mitigation": "MS-M9005" + ] }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "created": "2024-05-08T15:22:56.218185Z", - "modified": "2024-05-08T15:22:56.218185Z", + "id": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "created": "2024-05-15T03:39:51.333113Z", + "modified": "2024-05-15T03:39:51.333113Z", "name": "Gate generated images in CI/CD pipeline", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements.", "external_references": [ @@ -4624,29 +4623,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "created": "2024-05-08T15:22:56.221362Z", - "modified": "2024-05-08T15:22:56.221362Z", - "name": "Image assurance policy", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", + "id": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "created": "2024-05-15T03:39:51.337162Z", + "modified": "2024-05-15T03:39:51.337162Z", + "name": "Gate images pushed to registries", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", - "external_id": "MS-M9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", + "external_id": "MS-M9005.002" } ], "x_mitre_ids": [ "M1016", "M1045" - ] + ], + "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", - "created": "2024-05-08T15:22:56.225976Z", - "modified": "2024-05-08T15:22:56.225976Z", + "id": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", + "created": "2024-05-15T03:39:51.343565Z", + "modified": "2024-05-15T03:39:51.343565Z", "name": "Gate images deployed to Kubernetes cluster", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements. This can include limiting images to be deployed only from trusted registries, to have digital signature or pass vulnerability scanning and other checks. This can prevent potential adversaries from using their own malicious images in the cluster. Also, this ensures that only images that passed the security compliance policies of the organization are deployed in the cluster. Kubernetes admission controller mechanism is one of the commonly used tools for implementing such policy.", "external_references": [ @@ -4665,13 +4665,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--782c7775-83f3-4459-8fb9-28da08fdee61", + "id": "relationship--d5807d7e-f2c8-4327-990a-e4af75a0bc0d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226156Z", - "modified": "2024-05-08T15:22:56.226156Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:51.351219Z", + "modified": "2024-05-15T06:39:51.351246Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4683,13 +4683,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1ce40510-0136-4ae0-a9f8-8f3ec51f8864", + "id": "relationship--437f7861-883a-4867-91db-baf03277714c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226244Z", - "modified": "2024-05-08T15:22:56.226244Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:51.359322Z", + "modified": "2024-05-15T06:39:51.359354Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4701,13 +4701,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--81ec6e6f-fa3f-4040-a724-833699364643", + "id": "relationship--1791ff5f-a7fe-4a8c-867f-7e4d4457ce04", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226315Z", - "modified": "2024-05-08T15:22:56.226315Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:51.37399Z", + "modified": "2024-05-15T06:39:51.37402Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4719,14 +4719,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2c6feeef-2531-451c-9e47-a13a805a4de0", + "id": "relationship--fe50d167-7eac-4b71-9df8-8d7d11926ddf", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226383Z", - "modified": "2024-05-08T15:22:56.226383Z", - "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", + "created": "2024-05-15T06:39:51.386704Z", + "modified": "2024-05-15T06:39:51.386741Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4737,14 +4737,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bbdc57a5-e9ed-46a2-b3d4-3ee56d8af96f", + "id": "relationship--dfbf2ef0-8462-45f4-a8c6-f11f23d63772", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226449Z", - "modified": "2024-05-08T15:22:56.226449Z", + "created": "2024-05-15T06:39:51.400917Z", + "modified": "2024-05-15T06:39:51.400957Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4755,14 +4755,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5965c723-db2a-4155-b030-b81df136f30d", + "id": "relationship--82395a4c-bfed-47bd-807b-3cb03a841444", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226518Z", - "modified": "2024-05-08T15:22:56.226518Z", + "created": "2024-05-15T06:39:51.414615Z", + "modified": "2024-05-15T06:39:51.414656Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4773,14 +4773,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ef484610-1321-492b-af5b-53474922901a", + "id": "relationship--c55c3f5c-434f-499b-8d81-cee4a6ac7e1f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.22659Z", - "modified": "2024-05-08T15:22:56.22659Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.429706Z", + "modified": "2024-05-15T06:39:51.429746Z", + "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4791,14 +4791,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d901a4f8-0606-4f4a-9492-73a13c34322c", + "id": "relationship--064d14e1-cd81-4478-9b06-440eda1fc860", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226665Z", - "modified": "2024-05-08T15:22:56.226665Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.444788Z", + "modified": "2024-05-15T06:39:51.444833Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4809,14 +4809,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3efd61e1-bd89-4247-8e79-6ce2cbfd02a4", + "id": "relationship--b875a9d5-550b-47e5-89fa-e76b3d86b7dd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226731Z", - "modified": "2024-05-08T15:22:56.226731Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.460242Z", + "modified": "2024-05-15T06:39:51.4605Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4827,14 +4827,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5bce60d2-b755-4e27-8de0-e0038326bfec", + "id": "relationship--58581176-17db-460f-96e3-4cb863d9af1d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226798Z", - "modified": "2024-05-08T15:22:56.226798Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.476617Z", + "modified": "2024-05-15T06:39:51.476676Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4845,13 +4845,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3ddb2c6b-331e-487a-9855-96dd151f9867", + "id": "relationship--f2921043-7046-4c06-bc44-b90a5c37c4af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226867Z", - "modified": "2024-05-08T15:22:56.226867Z", + "created": "2024-05-15T06:39:51.493907Z", + "modified": "2024-05-15T06:39:51.493963Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4863,13 +4863,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ad664846-1b62-4e02-8ce0-623262539cf3", + "id": "relationship--639ad88a-b3b9-423f-9987-877c08f0e1b2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226933Z", - "modified": "2024-05-08T15:22:56.226933Z", + "created": "2024-05-15T06:39:51.518899Z", + "modified": "2024-05-15T06:39:51.518948Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4881,13 +4881,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--818f2493-52f8-4de3-8a76-26bd4052f960", + "id": "relationship--7952a030-cadf-41a2-96f2-11081f6b8f56", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227002Z", - "modified": "2024-05-08T15:22:56.227002Z", + "created": "2024-05-15T06:39:51.534173Z", + "modified": "2024-05-15T06:39:51.534211Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4899,13 +4899,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9dfe3caa-7bcd-469c-8d8d-ff81bf8eb61e", + "id": "relationship--d634d899-4763-406f-832c-093eab2072d0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227071Z", - "modified": "2024-05-08T15:22:56.227071Z", + "created": "2024-05-15T06:39:51.548264Z", + "modified": "2024-05-15T06:39:51.548301Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4917,13 +4917,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--069fcf2f-4170-4e63-9360-1bf93c20315b", + "id": "relationship--9ba23a5c-ccdb-4a05-ab6e-66123659c312", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227135Z", - "modified": "2024-05-08T15:22:56.227135Z", + "created": "2024-05-15T06:39:51.562848Z", + "modified": "2024-05-15T06:39:51.562901Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4935,13 +4935,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2353bac2-6ec5-4a61-acad-b9e42591c080", + "id": "relationship--4e263973-3d3e-45bb-a496-f5f033294bc4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.2272Z", - "modified": "2024-05-08T15:22:56.2272Z", + "created": "2024-05-15T06:39:51.577846Z", + "modified": "2024-05-15T06:39:51.5779Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4953,13 +4953,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b4208483-e02b-4e4b-b303-264f034c2084", + "id": "relationship--8b211336-1561-4b85-be2a-308d20b1f3b5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227264Z", - "modified": "2024-05-08T15:22:56.227264Z", + "created": "2024-05-15T06:39:51.595129Z", + "modified": "2024-05-15T06:39:51.595167Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4971,13 +4971,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4cf8585c-b005-4c2e-8dcd-7d4a3c0af182", + "id": "relationship--9d0123fe-7884-4240-b246-d073b91dd1c6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227329Z", - "modified": "2024-05-08T15:22:56.227329Z", + "created": "2024-05-15T06:39:51.60965Z", + "modified": "2024-05-15T06:39:51.60971Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4989,13 +4989,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9f441bcf-b520-42be-bac8-fb0065b002ac", + "id": "relationship--44605b12-a205-4764-bbda-c1ec86bfbf48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227393Z", - "modified": "2024-05-08T15:22:56.227393Z", + "created": "2024-05-15T06:39:51.6255Z", + "modified": "2024-05-15T06:39:51.62555Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -5007,10 +5007,10 @@ { "type": "x-mitre-matrix", "spec_version": "2.1", - "id": "x-mitre-matrix--72e4aa48-183b-4dd1-ab2e-f0bf87259ed8", + "id": "x-mitre-matrix--8891ab92-0b5d-4c1a-8c71-3cabe88ed697", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:22:56.242Z", + "modified": "2024-05-15T06:39:51.640Z", "name": "Threat Matrix for Kubernetes", "external_references": [ { @@ -5054,4 +5054,4 @@ "x_mitre_version": "0.1" } ] -} \ No newline at end of file +} diff --git a/build/tmfk_strict_b885d18.json b/build/tmfk_strict_b885d18.json index aa49e2c..f06ae28 100644 --- a/build/tmfk_strict_b885d18.json +++ b/build/tmfk_strict_b885d18.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--91b3d24b-b7e0-4c76-ae8d-e0621bb11301", + "id": "bundle--11127c22-81ff-41b9-8bf9-94e242fc6b60", "objects": [ { "type": "x-mitre-collection", @@ -8,7 +8,7 @@ "id": "x-mitre-collection--8702c9a3-cf7b-4e79-99e2-191d79c6042b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:22:56.255285Z", + "modified": "2024-05-15T06:39:51.668037Z", "name": "Threat Matrix for Kubernetes", "description": "The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", "x_mitre_attack_spec_version": "2.1.0", @@ -54,31 +54,31 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", - "object_modified": "2023-01-23T19:22:40.000Z" + "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", - "object_modified": "2022-10-27T17:00:14.000Z" + "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -86,79 +86,83 @@ "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "object_modified": "2022-12-05T07:54:00.000Z" }, - { - "object_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "object_modified": "2022-10-28T11:26:39.000Z" - }, { "object_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "object_modified": "2022-12-05T07:54:00.000Z" }, + { + "object_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "object_modified": "2023-01-23T19:22:40.000Z" + }, + { + "object_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "object_modified": "2022-10-28T11:26:39.000Z" + }, { "object_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "object_modified": "2022-12-05T07:54:00.000Z" + "object_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "object_modified": "2022-10-28T11:26:39.000Z" }, { @@ -166,616 +170,612 @@ "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "object_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "object_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", - "object_modified": "2022-10-28T11:26:39.000Z" + "object_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", - "object_modified": "2022-10-25T08:08:39.000Z" + "object_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "object_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "object_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "object_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "object_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", - "object_modified": "2022-12-05T07:54:00.000Z" - }, - { - "object_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "object_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--ac59938a-311a-4b1d-ab0d-ca2d475e284c", - "object_modified": "2024-05-08T15:22:56.105508Z" + "object_ref": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "object_modified": "2024-05-15T03:39:49.593404Z" }, { - "object_ref": "relationship--684df523-a6e2-4963-b89c-12e3c6a59b77", - "object_modified": "2024-05-08T15:22:56.105747Z" + "object_ref": "relationship--1cee926a-5ce2-4ac5-941a-de6484007cc7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--e1617893-3f7b-4be8-ad56-893bfa3759cd", - "object_modified": "2024-05-08T15:22:56.107717Z" + "object_ref": "relationship--2d6ddaf0-a928-43a2-a610-9bf62c1ed0a4", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a505b3a7-d08a-4407-85a4-3cb849dd80c4", - "object_modified": "2024-05-08T15:22:56.107829Z" + "object_ref": "course-of-action--520d4254-ebd3-49e1-984f-dcf2ace87a9e", + "object_modified": "2024-05-15T03:39:49.632956Z" }, { - "object_ref": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "object_modified": "2024-05-08T15:22:56.110187Z" + "object_ref": "relationship--f8705584-7dfe-4e53-87ce-8e4e0c99cbc0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--dddf5766-1f08-477d-bbde-0edb594df29f", - "object_modified": "2024-05-08T15:22:56.110305Z" + "object_ref": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "object_modified": "2024-05-15T03:39:49.656588Z" }, { - "object_ref": "relationship--bd30de10-b0a9-4286-a31d-7c1cbd369f96", - "object_modified": "2024-05-08T15:22:56.110386Z" + "object_ref": "relationship--f3767923-01f7-4810-9ba1-9cc0032da723", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--0e1a91ca-6129-4b7e-9b05-1d3004500999", - "object_modified": "2024-05-08T15:22:56.112317Z" + "object_ref": "relationship--997ff777-3194-44ff-98c2-52918448ea32", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c38f19cf-a229-47ab-87b1-3b3473b023db", - "object_modified": "2024-05-08T15:22:56.112428Z" + "object_ref": "course-of-action--d19bd228-4302-4497-b3d5-65fe23c217e1", + "object_modified": "2024-05-15T03:39:49.692338Z" }, { - "object_ref": "course-of-action--c1159ee6-af84-4a56-a3fd-57359b498f9e", - "object_modified": "2024-05-08T15:22:56.114624Z" + "object_ref": "relationship--52acb074-9e6c-462b-9f68-b2daead4febd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--f339094b-0181-402c-b8b1-dc0abecc1376", - "object_modified": "2024-05-08T15:22:56.114727Z" + "object_ref": "course-of-action--c3ebbc7f-5b27-4a32-9612-81af964e1fa6", + "object_modified": "2024-05-15T03:39:49.713824Z" }, { - "object_ref": "course-of-action--79053c9f-34ea-444f-8e97-827c60881e51", - "object_modified": "2024-05-08T15:22:56.116769Z" + "object_ref": "relationship--05af345e-2386-45e6-9b5f-b42a7e3f963b", + "object_modified": "2022-10-25T08:08:39.000Z" }, { - "object_ref": "relationship--d4dd453f-66ce-42f0-816e-bdad2c1dd18e", - "object_modified": "2024-05-08T15:22:56.116875Z" + "object_ref": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", + "object_modified": "2024-05-15T03:39:49.738357Z" }, { - "object_ref": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "object_modified": "2024-05-08T15:22:56.119383Z" + "object_ref": "relationship--21b8bc42-4f8b-48d4-bd6a-6d167c6bc3cb", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--0c551a23-0a7b-41de-bffd-a19e4ecee79e", - "object_modified": "2024-05-08T15:22:56.119488Z" + "object_ref": "relationship--e87cab35-468b-46bc-a7ed-7378ec79c528", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--0b914519-e08f-4e56-9a68-a9cebb1c1d4a", - "object_modified": "2024-05-08T15:22:56.119567Z" + "object_ref": "course-of-action--68fb6dea-250a-4980-b700-68e3d476fc53", + "object_modified": "2024-05-15T03:39:49.775718Z" }, { - "object_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "object_modified": "2024-05-08T15:22:56.122732Z" + "object_ref": "relationship--127a742e-4abb-4be2-8647-d6db0955fed0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--7bbe05c2-60af-4088-ace6-94f4f071df19", - "object_modified": "2024-05-08T15:22:56.122846Z" + "object_ref": "course-of-action--f1c844f3-f0df-45c8-8977-1e83897a490f", + "object_modified": "2024-05-15T03:39:49.794023Z" }, { - "object_ref": "relationship--2d8245fd-ef52-41a9-a4ae-5aaa3921aefe", - "object_modified": "2024-05-08T15:22:56.122926Z" + "object_ref": "relationship--1d3d2200-a69d-492a-8e8e-da998e38b52b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--45d6494c-98b2-4720-9f60-0fd0f7c98726", - "object_modified": "2024-05-08T15:22:56.123003Z" + "object_ref": "course-of-action--c78016d9-1088-4355-9c07-15afa17c30ba", + "object_modified": "2024-05-15T03:39:49.806472Z" }, { - "object_ref": "relationship--90f62dcd-d7e7-44e3-b445-5a642f5de126", - "object_modified": "2024-05-08T15:22:56.123072Z" + "object_ref": "relationship--7f80fc51-faa5-449a-8795-77b1d7d38249", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "object_modified": "2024-05-08T15:22:56.15468Z" + "object_ref": "course-of-action--bd8a1f81-5681-4b09-86a3-60e4a1339332", + "object_modified": "2024-05-15T03:39:49.822823Z" }, { - "object_ref": "relationship--b44efe83-3469-4a9c-b8c6-53b874056843", - "object_modified": "2024-05-08T15:22:56.15482Z" + "object_ref": "relationship--53dd1c67-71fc-4966-80b4-e77583e2ef8e", + "object_modified": "2022-10-27T17:00:14.000Z" }, { - "object_ref": "relationship--23143241-f6d3-42a0-9469-53edf84f0e0f", - "object_modified": "2024-05-08T15:22:56.154905Z" + "object_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "object_modified": "2024-05-15T03:39:49.856437Z" }, { - "object_ref": "relationship--848b4d5c-90d1-4482-b251-adcc7cc17891", - "object_modified": "2024-05-08T15:22:56.154975Z" + "object_ref": "relationship--9372f1ae-40cc-4952-bbcf-f22b89a372bd", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--72c5ef65-0a46-48f0-90bd-7fa8eb3b1939", - "object_modified": "2024-05-08T15:22:56.15504Z" + "object_ref": "relationship--15ac3b60-3bd6-4381-ad36-9160702e746b", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--5ba9c263-a863-4192-beed-f1e9ed42674f", - "object_modified": "2024-05-08T15:22:56.155104Z" + "object_ref": "relationship--bf5f4a2f-14dc-409c-b93c-364111d0dbc6", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--d1b623d5-b933-441d-8894-22bd5dd44117", - "object_modified": "2024-05-08T15:22:56.155171Z" + "object_ref": "relationship--e2954083-f170-4032-9f0a-3a13f8d55b7c", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--efb0998c-99dd-44a1-944b-da25cbb9bea2", - "object_modified": "2024-05-08T15:22:56.155238Z" + "object_ref": "relationship--d99027db-b6c3-4e63-bf38-8c2c32ee4bd6", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--cf9f87de-2a3b-46fc-84ef-4e925923b5e4", - "object_modified": "2024-05-08T15:22:56.155302Z" + "object_ref": "relationship--23b37f44-775f-4c0e-b631-b1f423a6a60f", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--2d46b6e7-1230-4faf-a8ad-e12235ee7ea4", - "object_modified": "2024-05-08T15:22:56.155365Z" + "object_ref": "relationship--7b499331-659d-4d8a-849f-a79df719852e", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--72a148ee-50f9-4e3b-a937-3c08256b1ed7", - "object_modified": "2024-05-08T15:22:56.155432Z" + "object_ref": "relationship--4861b510-27a7-413a-91a6-80952fb4f1f2", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--bd7dbd2b-a07e-4bf9-a4c8-beb6f5c2dd50", - "object_modified": "2024-05-08T15:22:56.155493Z" + "object_ref": "relationship--a4bad130-89bb-4d8b-b2cb-a102501a7806", + "object_modified": "2022-12-05T07:54:00.000Z" }, { - "object_ref": "relationship--7478fe08-c216-44bf-bede-f13f941b7f29", - "object_modified": "2024-05-08T15:22:56.155554Z" + "object_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "object_modified": "2024-05-15T03:39:49.989843Z" }, { - "object_ref": "relationship--78717954-c8b0-4282-81cc-2c85a049a449", - "object_modified": "2024-05-08T15:22:56.155617Z" + "object_ref": "relationship--c2bf159f-3b91-4a6e-8604-1e818d992b4e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--844c1b1d-3cee-4c6b-a27f-1c1733704dfa", - "object_modified": "2024-05-08T15:22:56.155679Z" + "object_ref": "relationship--4d3608f4-edbb-406d-a903-7f4f1ecad5db", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--f00a996f-9c64-4ef1-8c93-0e9f5d93c836", - "object_modified": "2024-05-08T15:22:56.15574Z" + "object_ref": "relationship--17ebe0b8-ba9b-4a92-9093-dbda15d80621", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--68813965-9188-431b-918d-fb91ca2f1f06", - "object_modified": "2024-05-08T15:22:56.1558Z" + "object_ref": "relationship--aa539a34-7282-4f93-a201-880603aa7e5c", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--32f00bea-6a7d-4c35-9fce-42afca7ede41", - "object_modified": "2024-05-08T15:22:56.155861Z" + "object_ref": "relationship--bc844fa6-71ac-4b9d-a831-dc67509f5af1", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--5f338d5a-3d04-46a2-8baa-a29a3d60567b", - "object_modified": "2024-05-08T15:22:56.155922Z" + "object_ref": "relationship--ae4cd2da-2261-4ec5-be1f-74e48e3d12c3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--3695fbaa-c940-4482-8d6f-1857521374f4", - "object_modified": "2024-05-08T15:22:56.155983Z" + "object_ref": "relationship--e57186e7-9fee-4ab1-b016-d1451f52fea0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "object_modified": "2024-05-08T15:22:56.159781Z" + "object_ref": "course-of-action--e2750236-3a09-4c64-97f4-8105d08d773c", + "object_modified": "2024-05-15T03:39:50.110727Z" }, { - "object_ref": "relationship--591612f8-a5a7-4161-861b-64693ee49557", - "object_modified": "2024-05-08T15:22:56.159973Z" + "object_ref": "relationship--f379373c-8822-4c48-8911-210df5418bb5", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--2adc1cb3-3614-410c-b549-1c81de3ea1b2", - "object_modified": "2024-05-08T15:22:56.160056Z" + "object_ref": "course-of-action--51d41dfb-5f49-477a-8377-b0e534432991", + "object_modified": "2024-05-15T03:39:50.135881Z" }, { - "object_ref": "relationship--30d2e91b-ae8e-4886-a605-d61f12904201", - "object_modified": "2024-05-08T15:22:56.160125Z" + "object_ref": "relationship--260fd263-0f63-486c-85f2-73d603efc5b8", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--c3bb518a-5b52-4b31-b78f-f5fcc949736c", - "object_modified": "2024-05-08T15:22:56.160193Z" + "object_ref": "course-of-action--a09ce953-17ee-47bb-b2d0-9338767d0d4d", + "object_modified": "2024-05-15T03:39:50.165211Z" }, { - "object_ref": "relationship--ee884f9c-ff11-41ae-88e0-3b01b047640c", - "object_modified": "2024-05-08T15:22:56.160265Z" + "object_ref": "relationship--f43769b5-3a95-4bee-a453-bb8665c264d7", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1dd70791-0859-4bd6-97de-c0db2e34beb2", - "object_modified": "2024-05-08T15:22:56.160332Z" + "object_ref": "course-of-action--925b3e24-eb25-4c68-b3fe-2165d14d96a6", + "object_modified": "2024-05-15T03:39:50.191364Z" }, { - "object_ref": "relationship--23432974-c2b0-4a4f-a61a-464032513031", - "object_modified": "2024-05-08T15:22:56.160398Z" + "object_ref": "relationship--b444a265-fde8-4492-8318-3899451a74d6", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "object_modified": "2024-05-08T15:22:56.164478Z" + "object_ref": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "object_modified": "2024-05-15T03:39:50.211723Z" }, { - "object_ref": "relationship--9084a585-125b-48a8-b5c5-253fe50cd45f", - "object_modified": "2024-05-08T15:22:56.164583Z" + "object_ref": "relationship--218b9d58-20b0-4ce4-844e-0118e8d99774", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--eba9530a-3b27-4aac-9fb3-af44b91370ea", - "object_modified": "2024-05-08T15:22:56.16466Z" + "object_ref": "relationship--e4ef9577-a365-410d-8364-d0bb066f42bf", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--7fce2c6d-7b4f-4a73-a763-5eb8c1ce476b", - "object_modified": "2024-05-08T15:22:56.164731Z" + "object_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "object_modified": "2024-05-15T03:39:50.25828Z" }, { - "object_ref": "relationship--0ccf0337-e389-4e82-86c7-c3f3d6d715d8", - "object_modified": "2024-05-08T15:22:56.164799Z" + "object_ref": "relationship--c5ee99c3-a3f5-48c3-b3cc-e016aaad30f3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--efec075f-2e2a-4a46-8c3b-87f79852ac4b", - "object_modified": "2024-05-08T15:22:56.164866Z" + "object_ref": "relationship--fb36acc7-8b7c-4be6-a6dd-58ef99e8a4d1", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a13556e9-ad9f-45a9-a3f1-af748f1fb09e", - "object_modified": "2024-05-08T15:22:56.164933Z" + "object_ref": "relationship--51aea02b-f08b-4911-a7b3-3c615012e191", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b9124650-895d-4271-9829-08710a1c3377", - "object_modified": "2024-05-08T15:22:56.165Z" + "object_ref": "relationship--88e2fc55-9489-4b4e-adb2-fd4c703be960", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--a1b1f3b9-26b7-47cf-b212-79fbf0f75fde", - "object_modified": "2024-05-08T15:22:56.166862Z" + "object_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "object_modified": "2024-05-15T03:39:50.34653Z" }, { - "object_ref": "relationship--2f2ad783-e5f7-49fc-948b-61f03ce598b5", - "object_modified": "2024-05-08T15:22:56.166947Z" + "object_ref": "relationship--395815eb-8041-4873-9b8b-8d2bbbe09e9b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "object_modified": "2024-05-08T15:22:56.169861Z" + "object_ref": "relationship--d4fb6853-ce8f-4ad3-891c-75c5f5185be9", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--480263be-2153-4749-9148-70164682e46d", - "object_modified": "2024-05-08T15:22:56.16995Z" + "object_ref": "relationship--575c4dfa-84f1-4f4b-97c0-562c4be5ab79", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--f63fa307-e4f1-4d4b-9135-486454913410", - "object_modified": "2024-05-08T15:22:56.17002Z" + "object_ref": "relationship--548c7c7c-30f8-454f-bc8a-162262415b42", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--37386587-467b-4334-877a-57a33828a55e", - "object_modified": "2024-05-08T15:22:56.170088Z" + "object_ref": "relationship--f21d594d-a2c4-465f-9363-cb6f8cd513d0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "object_modified": "2024-05-08T15:22:56.172279Z" + "object_ref": "course-of-action--911f0f2c-0be0-40bb-95e3-f6b9c200a9eb", + "object_modified": "2024-05-15T03:39:50.432865Z" }, { - "object_ref": "relationship--f74b5496-c7e5-4aa7-be3a-0d16d161bda1", - "object_modified": "2024-05-08T15:22:56.172377Z" + "object_ref": "relationship--052962f9-6bac-4e77-be11-b0a77cf325f8", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--bc614ef9-78dd-40f2-ab07-c7c9e12b963f", - "object_modified": "2024-05-08T15:22:56.172455Z" + "object_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "object_modified": "2024-05-15T03:39:50.450136Z" }, { - "object_ref": "course-of-action--b2f07c19-8b55-48bf-9542-2b6fc552e8ef", - "object_modified": "2024-05-08T15:22:56.174374Z" + "object_ref": "relationship--5296d9e7-1a11-4bca-8eeb-f8449e39a4d6", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d077a740-aa3c-438f-9b15-6293a1da5bcf", - "object_modified": "2024-05-08T15:22:56.174484Z" + "object_ref": "relationship--ab838d60-4c41-4293-b77c-09e4a4a9cd62", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--e97e7d91-2157-455c-8735-e8b923c89674", - "object_modified": "2024-05-08T15:22:56.176356Z" + "object_ref": "relationship--cedd7e41-7f86-4ae8-b52e-c18069ed209e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d8a67cab-2aec-4885-b4b5-65caed8d3bc1", - "object_modified": "2024-05-08T15:22:56.176459Z" + "object_ref": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "object_modified": "2024-05-15T03:39:50.500751Z" }, { - "object_ref": "course-of-action--2ac38e43-d1e4-42a7-9200-3c66b2a14f2a", - "object_modified": "2024-05-08T15:22:56.178317Z" + "object_ref": "relationship--120b8e99-ff14-49c3-8d60-3afb877a2705", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--1490c81e-60bf-4e7a-91de-082c18d8c07b", - "object_modified": "2024-05-08T15:22:56.178441Z" + "object_ref": "relationship--be9f0971-16e6-4067-b560-085cae7145f0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--43c3ee3b-415b-42f4-9196-a75c08ef951a", - "object_modified": "2024-05-08T15:22:56.180191Z" + "object_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "object_modified": "2024-05-15T03:39:50.549988Z" }, { - "object_ref": "relationship--90678f01-47c5-4838-98e7-d01eebfa0d28", - "object_modified": "2024-05-08T15:22:56.180298Z" + "object_ref": "relationship--fc44ddb8-eb0c-4d96-abb0-547f3aad03bb", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "object_modified": "2024-05-08T15:22:56.182403Z" + "object_ref": "relationship--dc579813-666e-4365-851b-357b41ee17fc", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--cd35cbd7-4b93-4b58-a07e-365899f9f6e3", - "object_modified": "2024-05-08T15:22:56.182509Z" + "object_ref": "relationship--0ecd2aca-11a3-4f9f-9bbd-ce78673bdd11", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--d0a52dac-8d12-4cea-8907-3214a272ce87", - "object_modified": "2024-05-08T15:22:56.182588Z" + "object_ref": "relationship--c59e7256-0fa5-478e-8597-e4116c67d234", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--12809894-059a-4bb9-a7c3-37c64de36bd5", - "object_modified": "2024-05-08T15:22:56.184338Z" + "object_ref": "relationship--59fe1010-17ca-46e4-86b4-82a6507c0274", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--b732d3c6-24e8-47ec-b8ba-3824fad3561d", - "object_modified": "2024-05-08T15:22:56.184502Z" + "object_ref": "relationship--74740cef-789c-419b-8ef4-be1b91411f77", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "object_modified": "2024-05-08T15:22:56.187533Z" + "object_ref": "relationship--33e1bea6-768f-44bf-9fcb-8d1e3907ef2a", + "object_modified": "2022-10-31T06:43:11.000Z" }, { - "object_ref": "relationship--1d4b575d-5a95-4894-9d35-3b1abcb99dbd", - "object_modified": "2024-05-08T15:22:56.187631Z" + "object_ref": "course-of-action--1e89ed15-2cc3-4559-b971-727257bb3468", + "object_modified": "2024-05-15T03:39:50.684929Z" }, { - "object_ref": "relationship--5b895b8e-f2fa-4f83-be17-09f47e8678b9", - "object_modified": "2024-05-08T15:22:56.187712Z" + "object_ref": "relationship--ca42a472-3bf3-4e21-ad6f-b30c421c39a3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--21c02ea0-80b1-43a6-bc0d-cec13a726e09", - "object_modified": "2024-05-08T15:22:56.187782Z" + "object_ref": "course-of-action--88846ecd-3066-403b-ae1e-14990aec7b89", + "object_modified": "2024-05-15T03:39:50.708572Z" }, { - "object_ref": "relationship--b8010747-c436-4478-ad8a-05aa0d650815", - "object_modified": "2024-05-08T15:22:56.18785Z" + "object_ref": "relationship--a8a8174f-cace-4014-8ba5-19ac6405fd6d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--ec5feb2f-3ba6-430c-8243-a362334423f6", - "object_modified": "2024-05-08T15:22:56.187921Z" + "object_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "object_modified": "2024-05-15T03:39:50.779693Z" }, { - "object_ref": "course-of-action--145627ab-4c2f-4817-9cc7-3541c4b2132d", - "object_modified": "2024-05-08T15:22:56.190096Z" + "object_ref": "relationship--6439eb96-2128-4a10-bc35-245772507eaa", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--2cdf3dab-2a3c-4a54-86f0-d2dac4ed5caa", - "object_modified": "2024-05-08T15:22:56.190183Z" + "object_ref": "relationship--0099590d-c613-4183-90ef-0677a5cee5e0", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "object_modified": "2024-05-08T15:22:56.194751Z" + "object_ref": "relationship--c0a48420-db41-473c-a6c0-1e13a3d10186", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a146eb92-2664-4266-bcca-296096759948", - "object_modified": "2024-05-08T15:22:56.194859Z" + "object_ref": "relationship--ffc80eef-fce9-4a9c-a6cc-64a06bd04c09", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--76f97393-3394-4fc6-96bc-720d3f801545", - "object_modified": "2024-05-08T15:22:56.194937Z" + "object_ref": "relationship--5e215619-4747-40ee-b7d8-cb99f43dcc02", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--65c74fcc-0a2b-48f5-8140-d1724dbc0152", - "object_modified": "2024-05-08T15:22:56.195007Z" + "object_ref": "relationship--eff8b137-592b-4e24-b9d0-84d0b4ecd36c", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a4297d46-5ef6-48ee-a7ec-9c81c2104efb", - "object_modified": "2024-05-08T15:22:56.195074Z" + "object_ref": "relationship--2ee66121-66fb-4322-bf90-a304269cc9ca", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--b455b577-b0a4-4b5e-b309-4399ffdb96d8", - "object_modified": "2024-05-08T15:22:56.195142Z" + "object_ref": "relationship--439dbd19-7acb-4f32-ad8c-9cbdfd051ace", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--a3c5cc70-8051-4ee7-9103-8577d26bb3de", - "object_modified": "2024-05-08T15:22:56.195207Z" + "object_ref": "relationship--8b515b19-c9dd-4ff8-a0c9-5e8a53b8704e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--81017d21-8a48-428c-8c20-7bedbb7c9274", - "object_modified": "2024-05-08T15:22:56.195273Z" + "object_ref": "relationship--177ce49d-d707-4a60-8758-3008ca687648", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--ea7b2c95-feae-4263-8972-1153520e12bb", - "object_modified": "2024-05-08T15:22:56.195338Z" + "object_ref": "relationship--1ef5a845-4abd-4dfa-a3fa-07614488bb92", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--d6a40a98-8a52-4531-9c32-a407d8c715dc", - "object_modified": "2024-05-08T15:22:56.195403Z" + "object_ref": "relationship--597c4e29-5e2b-413e-85b3-156207c18632", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--078074f8-e7ee-4480-adc4-319dd516eeca", - "object_modified": "2024-05-08T15:22:56.197061Z" + "object_ref": "relationship--a17ec211-c097-4b29-b6f3-cf70f2a40917", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4a74f882-fc51-4b69-9133-d4d2cdc8cba4", - "object_modified": "2024-05-08T15:22:56.197159Z" + "object_ref": "relationship--6f44a207-12a9-4211-a943-ba64ae52a24f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "object_modified": "2024-05-08T15:22:56.199422Z" + "object_ref": "relationship--0e71454a-a992-44ae-ae75-a355d6f04b0a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9daf3409-b091-43a4-93fe-00cfede88603", - "object_modified": "2024-05-08T15:22:56.199528Z" + "object_ref": "relationship--29059bde-e9aa-49d6-afd6-d6aac181369f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--971dbbb2-612c-4cab-b442-e50892920edd", - "object_modified": "2024-05-08T15:22:56.199605Z" + "object_ref": "relationship--1cd92ebc-5be0-4b93-8067-f64d40a8eb37", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--c17f9a3f-ef25-4c11-ae3a-37d33049134d", - "object_modified": "2024-05-08T15:22:56.201611Z" + "object_ref": "relationship--58d81031-aac2-416c-a191-703afb143397", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--efdd2248-5844-4b83-8b88-ddc9f10e3311", - "object_modified": "2024-05-08T15:22:56.201719Z" + "object_ref": "relationship--0bbe557c-9ac5-4349-bcd5-6ed0df52dfdd", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--16b1618d-8f02-412b-8344-dcc66fafd08f", - "object_modified": "2024-05-08T15:22:56.203489Z" + "object_ref": "course-of-action--f67dcfd5-3ee8-4100-9d60-665aa3f98dc1", + "object_modified": "2024-05-15T03:39:51.142006Z" }, { - "object_ref": "relationship--9d5118f8-227f-4875-b9c1-d45ec317f7e8", - "object_modified": "2024-05-08T15:22:56.203589Z" + "object_ref": "relationship--fbe192dc-787b-45ae-90e8-cf184b867d6a", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--2e0b0daa-c0e9-42c7-807e-6f3fd0872882", - "object_modified": "2024-05-08T15:22:56.205377Z" + "object_ref": "course-of-action--91b29f5f-3691-4f7f-a23a-b104a93fa10a", + "object_modified": "2024-05-15T03:39:51.164002Z" }, { - "object_ref": "relationship--516c362d-01e1-44df-9b7c-29f243f27a89", - "object_modified": "2024-05-08T15:22:56.205477Z" + "object_ref": "relationship--4790d8c7-e38d-4515-b52a-e3c67181d9f2", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--3b86fb19-87fc-4765-8ae0-1230ce738c2a", - "object_modified": "2024-05-08T15:22:56.207152Z" + "object_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "object_modified": "2024-05-15T03:39:51.196889Z" }, { - "object_ref": "relationship--021a4287-68df-4d15-a53d-aca210ac5fba", - "object_modified": "2024-05-08T15:22:56.207254Z" + "object_ref": "relationship--57ca0b03-fe25-4502-bd10-9457f9018d6f", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "object_modified": "2024-05-08T15:22:56.209345Z" + "object_ref": "relationship--94ccb16c-7a52-4145-a3b4-f7561e17494b", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--9cfdb87c-af40-45a3-ab41-108b2171cc7a", - "object_modified": "2024-05-08T15:22:56.209448Z" + "object_ref": "relationship--d3f0e11e-0329-4cab-aa8c-b4f7b09f472e", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--4c8ed604-f737-4520-a091-dbeb148d9fc2", - "object_modified": "2024-05-08T15:22:56.209526Z" + "object_ref": "course-of-action--0fbf6f7c-0e57-4deb-95c1-b7b35d6e0ef7", + "object_modified": "2024-05-15T03:39:51.2552Z" }, { - "object_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "object_modified": "2024-05-08T15:22:56.212461Z" + "object_ref": "relationship--11a97dca-c8a3-437d-a1e0-e855232bd9c3", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--bb9a35da-8778-4d5f-a5fe-9d71c531ed7e", - "object_modified": "2024-05-08T15:22:56.212566Z" + "object_ref": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "object_modified": "2024-05-15T03:39:51.280318Z" }, { - "object_ref": "relationship--1858f521-084f-4965-a366-d7188de510e8", - "object_modified": "2024-05-08T15:22:56.212643Z" + "object_ref": "relationship--566a170f-76c6-4a7e-8c22-d02c39def619", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "relationship--cce2028a-859d-4e6f-bfc1-4cc776ee1580", - "object_modified": "2024-05-08T15:22:56.212722Z" + "object_ref": "relationship--3edc3696-1ecc-4493-b160-0eb35dbb153d", + "object_modified": "2022-10-28T11:26:39.000Z" }, { - "object_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", - "object_modified": "2024-05-08T15:22:56.215558Z" + "object_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", + "object_modified": "2024-05-15T03:39:51.325172Z" }, { - "object_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "object_modified": "2024-05-08T15:22:56.218185Z" + "object_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "object_modified": "2024-05-15T03:39:51.333113Z" }, { - "object_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "object_modified": "2024-05-08T15:22:56.221362Z" + "object_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "object_modified": "2024-05-15T03:39:51.337162Z" }, { - "object_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", - "object_modified": "2024-05-08T15:22:56.225976Z" + "object_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", + "object_modified": "2024-05-15T03:39:51.343565Z" }, { - "object_ref": "relationship--782c7775-83f3-4459-8fb9-28da08fdee61", - "object_modified": "2024-05-08T15:22:56.226156Z" + "object_ref": "relationship--d5807d7e-f2c8-4327-990a-e4af75a0bc0d", + "object_modified": "2024-05-15T06:39:51.351246Z" }, { - "object_ref": "relationship--1ce40510-0136-4ae0-a9f8-8f3ec51f8864", - "object_modified": "2024-05-08T15:22:56.226244Z" + "object_ref": "relationship--437f7861-883a-4867-91db-baf03277714c", + "object_modified": "2024-05-15T06:39:51.359354Z" }, { - "object_ref": "relationship--81ec6e6f-fa3f-4040-a724-833699364643", - "object_modified": "2024-05-08T15:22:56.226315Z" + "object_ref": "relationship--1791ff5f-a7fe-4a8c-867f-7e4d4457ce04", + "object_modified": "2024-05-15T06:39:51.37402Z" }, { - "object_ref": "relationship--2c6feeef-2531-451c-9e47-a13a805a4de0", - "object_modified": "2024-05-08T15:22:56.226383Z" + "object_ref": "relationship--fe50d167-7eac-4b71-9df8-8d7d11926ddf", + "object_modified": "2024-05-15T06:39:51.386741Z" }, { - "object_ref": "relationship--bbdc57a5-e9ed-46a2-b3d4-3ee56d8af96f", - "object_modified": "2024-05-08T15:22:56.226449Z" + "object_ref": "relationship--dfbf2ef0-8462-45f4-a8c6-f11f23d63772", + "object_modified": "2024-05-15T06:39:51.400957Z" }, { - "object_ref": "relationship--5965c723-db2a-4155-b030-b81df136f30d", - "object_modified": "2024-05-08T15:22:56.226518Z" + "object_ref": "relationship--82395a4c-bfed-47bd-807b-3cb03a841444", + "object_modified": "2024-05-15T06:39:51.414656Z" }, { - "object_ref": "relationship--ef484610-1321-492b-af5b-53474922901a", - "object_modified": "2024-05-08T15:22:56.22659Z" + "object_ref": "relationship--c55c3f5c-434f-499b-8d81-cee4a6ac7e1f", + "object_modified": "2024-05-15T06:39:51.429746Z" }, { - "object_ref": "relationship--d901a4f8-0606-4f4a-9492-73a13c34322c", - "object_modified": "2024-05-08T15:22:56.226665Z" + "object_ref": "relationship--064d14e1-cd81-4478-9b06-440eda1fc860", + "object_modified": "2024-05-15T06:39:51.444833Z" }, { - "object_ref": "relationship--3efd61e1-bd89-4247-8e79-6ce2cbfd02a4", - "object_modified": "2024-05-08T15:22:56.226731Z" + "object_ref": "relationship--b875a9d5-550b-47e5-89fa-e76b3d86b7dd", + "object_modified": "2024-05-15T06:39:51.4605Z" }, { - "object_ref": "relationship--5bce60d2-b755-4e27-8de0-e0038326bfec", - "object_modified": "2024-05-08T15:22:56.226798Z" + "object_ref": "relationship--58581176-17db-460f-96e3-4cb863d9af1d", + "object_modified": "2024-05-15T06:39:51.476676Z" }, { - "object_ref": "relationship--3ddb2c6b-331e-487a-9855-96dd151f9867", - "object_modified": "2024-05-08T15:22:56.226867Z" + "object_ref": "relationship--f2921043-7046-4c06-bc44-b90a5c37c4af", + "object_modified": "2024-05-15T06:39:51.493963Z" }, { - "object_ref": "relationship--ad664846-1b62-4e02-8ce0-623262539cf3", - "object_modified": "2024-05-08T15:22:56.226933Z" + "object_ref": "relationship--639ad88a-b3b9-423f-9987-877c08f0e1b2", + "object_modified": "2024-05-15T06:39:51.518948Z" }, { - "object_ref": "relationship--818f2493-52f8-4de3-8a76-26bd4052f960", - "object_modified": "2024-05-08T15:22:56.227002Z" + "object_ref": "relationship--7952a030-cadf-41a2-96f2-11081f6b8f56", + "object_modified": "2024-05-15T06:39:51.534211Z" }, { - "object_ref": "relationship--9dfe3caa-7bcd-469c-8d8d-ff81bf8eb61e", - "object_modified": "2024-05-08T15:22:56.227071Z" + "object_ref": "relationship--d634d899-4763-406f-832c-093eab2072d0", + "object_modified": "2024-05-15T06:39:51.548301Z" }, { - "object_ref": "relationship--069fcf2f-4170-4e63-9360-1bf93c20315b", - "object_modified": "2024-05-08T15:22:56.227135Z" + "object_ref": "relationship--9ba23a5c-ccdb-4a05-ab6e-66123659c312", + "object_modified": "2024-05-15T06:39:51.562901Z" }, { - "object_ref": "relationship--2353bac2-6ec5-4a61-acad-b9e42591c080", - "object_modified": "2024-05-08T15:22:56.2272Z" + "object_ref": "relationship--4e263973-3d3e-45bb-a496-f5f033294bc4", + "object_modified": "2024-05-15T06:39:51.5779Z" }, { - "object_ref": "relationship--b4208483-e02b-4e4b-b303-264f034c2084", - "object_modified": "2024-05-08T15:22:56.227264Z" + "object_ref": "relationship--8b211336-1561-4b85-be2a-308d20b1f3b5", + "object_modified": "2024-05-15T06:39:51.595167Z" }, { - "object_ref": "relationship--4cf8585c-b005-4c2e-8dcd-7d4a3c0af182", - "object_modified": "2024-05-08T15:22:56.227329Z" + "object_ref": "relationship--9d0123fe-7884-4240-b246-d073b91dd1c6", + "object_modified": "2024-05-15T06:39:51.60971Z" }, { - "object_ref": "relationship--9f441bcf-b520-42be-bac8-fb0065b002ac", - "object_modified": "2024-05-08T15:22:56.227393Z" + "object_ref": "relationship--44605b12-a205-4764-bbda-c1ec86bfbf48", + "object_modified": "2024-05-15T06:39:51.62555Z" }, { - "object_ref": "x-mitre-matrix--72e4aa48-183b-4dd1-ab2e-f0bf87259ed8", - "object_modified": "2024-05-08T18:22:56.242Z" + "object_ref": "x-mitre-matrix--8891ab92-0b5d-4c1a-8c71-3cabe88ed697", + "object_modified": "2024-05-15T06:39:51.640Z" }, { "object_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", @@ -1027,28 +1027,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2023-01-23T19:22:40.000Z", - "name": "Access cloud resources", - "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", + "created": "2022-10-02T18:11:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Container service account", + "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "credential-access" }, { "kill_chain_name": "tmfk", "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "tmfk", + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", - "external_id": "MS-TA9020" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", + "external_id": "MS-TA9016" } ], "x_mitre_domains": [ @@ -1056,7 +1060,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.004" + "T1528" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1067,24 +1071,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Bash or cmd inside container", - "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", + "name": "Clear container logs", + "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", - "external_id": "MS-TA9007" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", + "external_id": "MS-TA9021" } ], "x_mitre_domains": [ @@ -1092,7 +1096,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1059" + "T1070" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1103,24 +1107,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Cluster-admin binding", - "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Data destruction", + "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", - "external_id": "MS-TA9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", + "external_id": "MS-TA9038" } ], "x_mitre_domains": [ @@ -1128,7 +1132,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1078.003" + "T1485" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1139,24 +1143,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Privileged container", - "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "CoreDNS poisoning", + "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", - "external_id": "MS-TA9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", + "external_id": "MS-TA9035" } ], "x_mitre_domains": [ @@ -1164,7 +1168,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1175,24 +1179,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Kubernetes API server", - "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Backdoor container", + "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", - "external_id": "MS-TA9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", + "external_id": "MS-TA9012" } ], "x_mitre_domains": [ @@ -1200,7 +1204,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1543" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1211,28 +1215,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application credentials in configuration files", - "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "name": "Pod or container name similarity", + "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", - "external_id": "MS-TA9027" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", + "external_id": "MS-TA9023" } ], "x_mitre_domains": [ @@ -1240,7 +1240,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552" + "T1036.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1251,24 +1251,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Data destruction", - "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.", + "name": "Access Managed Identity credentials", + "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "impact" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction", - "external_id": "MS-TA9038" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", + "external_id": "MS-TA9028" } ], "x_mitre_domains": [ @@ -1276,7 +1276,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1485" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1320,24 +1320,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Denial of service", - "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Access Kubelet API", + "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "impact" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", - "external_id": "MS-TA9040" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", + "external_id": "MS-TA9030" } ], "x_mitre_domains": [ @@ -1345,8 +1345,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1498", - "T1499" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1357,24 +1356,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Clear container logs", - "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", + "name": "Images from a private registry", + "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs", - "external_id": "MS-TA9021" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", + "external_id": "MS-TA9037" } ], "x_mitre_domains": [ @@ -1382,7 +1381,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1530" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1393,60 +1392,32 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "Sidecar injection", - "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", + "name": "Writable hostPath mount", + "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "external_references": [ + "phase_name": "persistence" + }, { - "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", - "external_id": "MS-TA9011" - } - ], - "x_mitre_domains": [ - "tmfk" - ], - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1610" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Kubernetes" - ], - "x_mitre_version": "1.0" - }, - { - "type": "attack-pattern", - "spec_version": "2.1", - "id": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Access Managed Identity credentials", - "description": "Managed identities are identities that are managed by the cloud provider and can be allocated to cloud resources, such as virtual machines. Those identities are used to authenticate with cloud services. The identity\u2019s secret is fully managed by the cloud provider, which eliminates the need to manage the credentials. Applications can obtain the identity\u2019s token by accessing the Instance Metadata Service (IMDS). Attackers who get access to a Kubernetes pod can leverage their access to the IMDS endpoint to get the managed identity\u2019s token. With a token, the attackers can access cloud resources.", - "kill_chain_phases": [ + "kill_chain_name": "tmfk", + "phase_name": "privilege-escalation" + }, { "kill_chain_name": "tmfk", - "phase_name": "credential-access" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Managed%20Identity%20credentials", - "external_id": "MS-TA9028" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", + "external_id": "MS-TA9013" } ], "x_mitre_domains": [ @@ -1454,7 +1425,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1611" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1501,30 +1472,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "SSH server running inside container", - "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", + "name": "Using cloud credentials", + "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", - "external_id": "MS-TA9010" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", + "external_id": "MS-TA9001" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1078.004" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -1534,24 +1508,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-12-05T07:54:00.000Z", - "name": "New container", - "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", + "name": "Mount service principal", + "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", - "external_id": "MS-TA9008" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", + "external_id": "MS-TA9026" } ], "x_mitre_domains": [ @@ -1559,7 +1533,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1610" + "T1552.001" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1570,28 +1544,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "id": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-31T06:43:11.000Z", - "name": "Exposed sensitive interfaces", - "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", + "modified": "2023-01-23T19:22:40.000Z", + "name": "Access cloud resources", + "description": "If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container to get access to other cloud resources outside the cluster. For example, AKS uses several managed identities that are attached to the nodes, for the cluster operation. Similar identities exist also in EKS and GKE (EC2 roles and IAM service accounts, respectively). By default, running pods can retrieve the identities which in some configurations have privileged permissions. Therefore, if attackers gain access to a running pod in the cluster, they can leverage the identities to access external cloud resources.\n\nAlso, AKS has an option to authenticate with Azure using a service principal. When this option is enabled, each node stores service principal credentials that are located in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation. By default, the service principal has contributor permissions in the cluster\u2019s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "privilege-escalation" }, { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", - "external_id": "MS-TA9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources", + "external_id": "MS-TA9020" } ], "x_mitre_domains": [ @@ -1599,7 +1573,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1133" + "T1078.004" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1610,24 +1584,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "id": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Delete Kubernetes events", - "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", + "name": "Access Kubernetes API server", + "description": "The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.\n\nIn addition, the Kubernetes API server can also be used to query information about Role Based Access (RBAC) information such as Roles, ClusterRoles, RoleBinding, ClusterRoleBinding and Service Accounts. Attacker may use this information to discover permissions and access associated with Service Accounts in the cluster and use this information to progress towards its attack objectives.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", - "external_id": "MS-TA9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubernetes%20API%20server", + "external_id": "MS-TA9029" } ], "x_mitre_domains": [ @@ -1635,7 +1609,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1070" + "T1613" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1646,32 +1620,28 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "id": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Writable hostPath mount", - "description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", + "modified": "2022-10-31T06:43:11.000Z", + "name": "Exposed sensitive interfaces", + "description": "Exposing a sensitive interface to the internet or within a cluster without strong authentication poses a security risk. Some popular cluster management services were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing such services to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.\n\nIn addition, having such services exposed within the cluster network without strong authentication can also allow an attacker to collect information about other workloads deployed to the cluster.\nThe Kubernetes dashboard is an example of such a service that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "privilege-escalation" + "phase_name": "initial-access" }, { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount", - "external_id": "MS-TA9013" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces", + "external_id": "MS-TA9005" } ], "x_mitre_domains": [ @@ -1679,7 +1649,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1611" + "T1133" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1690,24 +1660,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Mount service principal", - "description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Resource hijacking", + "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "credential-access" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal", - "external_id": "MS-TA9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", + "external_id": "MS-TA9039" } ], "x_mitre_domains": [ @@ -1715,7 +1685,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.001" + "T1496" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1726,24 +1696,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application exploit (RCE)", - "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "List Kubernetes secrets", + "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", - "external_id": "MS-TA9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", + "external_id": "MS-TA9025" } ], "x_mitre_domains": [ @@ -1751,7 +1721,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1190" + "T1552.007" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1762,13 +1732,17 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "List Kubernetes secrets", - "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.", + "name": "Malicious admission controller", + "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", "kill_chain_phases": [ + { + "kill_chain_name": "tmfk", + "phase_name": "persistence" + }, { "kill_chain_name": "tmfk", "phase_name": "credential-access" @@ -1778,8 +1752,8 @@ "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20Kubernetes%20secrets", - "external_id": "MS-TA9025" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", + "external_id": "MS-TA9015" } ], "x_mitre_domains": [ @@ -1787,7 +1761,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.007" + "T1546" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1798,24 +1772,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "ARP poisoning and IP spoofing", - "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Connect from proxy server", + "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", - "external_id": "MS-TA9036" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", + "external_id": "MS-TA9024" } ], "x_mitre_domains": [ @@ -1823,7 +1797,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1090" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1834,24 +1808,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Access Kubelet API", - "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Compromised image In registry", + "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API", - "external_id": "MS-TA9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", + "external_id": "MS-TA9002" } ], "x_mitre_domains": [ @@ -1859,7 +1833,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1613" + "T1195.002", + "T1525" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1870,24 +1845,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "id": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-27T17:00:14.000Z", - "name": "Kubeconfig file", - "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "SSH server running inside container", + "description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", - "external_id": "MS-TA9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container", + "external_id": "MS-TA9010" } ], "x_mitre_domains": [ @@ -1903,32 +1878,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "id": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T18:11:12.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Container service account", - "description": "Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \\ ClusterRoleBindings that are associated with it.\n\nAn attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Privileged container", + "description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "credential-access" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "persistence" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Container%20service%20account", - "external_id": "MS-TA9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container", + "external_id": "MS-TA9018" } ], "x_mitre_domains": [ @@ -1936,7 +1903,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1528" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1947,24 +1914,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "id": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Exec into container", - "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Cluster-admin binding", + "description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "execution" + "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", - "external_id": "MS-TA9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding", + "external_id": "MS-TA9019" } ], "x_mitre_domains": [ @@ -1972,7 +1939,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1609" + "T1078.003" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -1983,24 +1950,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "id": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Network mapping", - "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "New container", + "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \\ ReplicaSet\\ Deployment) can create a new resource for running their code.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", - "external_id": "MS-TA9031" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20container", + "external_id": "MS-TA9008" } ], "x_mitre_domains": [ @@ -2008,7 +1975,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1046" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2019,24 +1986,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "Instance Metadata API", - "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Cluster internal networking", + "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "discovery" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", - "external_id": "MS-TA9033" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", + "external_id": "MS-TA9034" } ], "x_mitre_domains": [ @@ -2044,7 +2011,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1552.005" + "T1210" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2055,33 +2022,30 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-02T14:34:35.000Z", + "created": "2022-10-03T08:10:16.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Resource hijacking", - "description": "Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.", + "name": "Static pods", + "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "impact" + "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking", - "external_id": "MS-TA9039" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", + "external_id": "MS-TA9017" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1496" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2091,24 +2055,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "id": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Compromised image In registry", - "description": "Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.", + "modified": "2022-10-25T08:08:39.000Z", + "name": "Instance Metadata API", + "description": "Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20image%20In%20registry", - "external_id": "MS-TA9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API", + "external_id": "MS-TA9033" } ], "x_mitre_domains": [ @@ -2116,8 +2080,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1195.002", - "T1525" + "T1552.005" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2128,12 +2091,12 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "id": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Using cloud credentials", - "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", + "modified": "2022-10-27T17:00:14.000Z", + "name": "Kubeconfig file", + "description": "The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credentialfor AKS or gcloud container clusters get-credentialsfor GKE).\n\nIf attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", @@ -2144,17 +2107,14 @@ "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20cloud%20credentials", - "external_id": "MS-TA9001" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file", + "external_id": "MS-TA9003" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "x_mitre_ids": [ - "T1078.004" - ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2164,30 +2124,33 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "id": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2022-10-03T08:10:16.000Z", + "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Static pods", - "description": "Static Pods are created and managed by the the kubelet daemon on each node, without the API server observing them. Kubelet watches each static pod and restart it if it fails.\n\nKubelet automatically tries to create a mirror pod on the Kubernetes API server to represent the static pods, so it will be visible on the API server, however the pods cannot be controlled from there.\n\nStatic Pods are created based on a web or local filesystem YAML files which kubelet observes for changes.\nAn attacker can use the static pods manifest file to ensure that a pod is always running on a cluster node and prevent it from being changed or deleted from the Kubernetes API server.", + "name": "Delete Kubernetes events", + "description": "A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.\n\nKubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: \u201ckubectl delete events\u2013all\u201d) in an attempt to avoid detection of their activity in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" + "phase_name": "defense-evasion" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20pods", - "external_id": "MS-TA9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20Kubernetes%20events", + "external_id": "MS-TA9022" } ], "x_mitre_domains": [ "tmfk" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1070" + ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Kubernetes" @@ -2197,24 +2160,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "id": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-25T08:08:39.000Z", - "name": "CoreDNS poisoning", - "description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Network mapping", + "description": "Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "discovery" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning", - "external_id": "MS-TA9035" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping", + "external_id": "MS-TA9031" } ], "x_mitre_domains": [ @@ -2222,7 +2185,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1557" + "T1046" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2233,24 +2196,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", + "id": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Pod or container name similarity", - "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.\n\nAlso, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "Sidecar injection", + "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarity", - "external_id": "MS-TA9023" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20injection", + "external_id": "MS-TA9011" } ], "x_mitre_domains": [ @@ -2258,7 +2221,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1036.005" + "T1610" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2269,24 +2232,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "id": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-10-28T11:26:39.000Z", - "name": "Connect from proxy server", - "description": "Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.", + "modified": "2022-12-05T07:54:00.000Z", + "name": "ARP poisoning and IP spoofing", + "description": "Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "defense-evasion" + "phase_name": "lateral-movement" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20proxy%20server", - "external_id": "MS-TA9024" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing", + "external_id": "MS-TA9036" } ], "x_mitre_domains": [ @@ -2294,7 +2257,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1090" + "T1557" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2305,28 +2268,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Malicious admission controller", - "description": "Admission controller is a Kubernetes component that intercepts, and possibly modifies, requests to the Kubernetes API server. There are two types of admissions controllers: validating and mutating controllers. As the name implies, a mutating admission controller can modify the intercepted request and change its properties. Kubernetes has a built-in generic admission controller named MutatingAdmissionWebhook. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.", + "name": "Application vulnerability", + "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" - }, - { - "kill_chain_name": "tmfk", - "phase_name": "credential-access" + "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller", - "external_id": "MS-TA9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", + "external_id": "MS-TA9004" } ], "x_mitre_domains": [ @@ -2334,7 +2293,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1546" + "T1190" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2345,24 +2304,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "id": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Application vulnerability", - "description": "Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", + "name": "Application exploit (RCE)", + "description": "An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "initial-access" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20vulnerability", - "external_id": "MS-TA9004" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20exploit%20(RCE)", + "external_id": "MS-TA9009" } ], "x_mitre_domains": [ @@ -2381,24 +2340,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "id": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Cluster internal networking", - "description": "Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.", + "name": "Exec into container", + "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "lateral-movement" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking", - "external_id": "MS-TA9034" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container", + "external_id": "MS-TA9006" } ], "x_mitre_domains": [ @@ -2406,7 +2365,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1210" + "T1609" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2417,24 +2376,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "id": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", - "modified": "2022-12-05T07:54:00.000Z", - "name": "Backdoor container", - "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Bash or cmd inside container", + "description": "Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "persistence" + "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container", - "external_id": "MS-TA9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Bash%20or%20cmd%20inside%20container", + "external_id": "MS-TA9007" } ], "x_mitre_domains": [ @@ -2442,7 +2401,7 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1543" + "T1059" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2453,24 +2412,24 @@ { "type": "attack-pattern", "spec_version": "2.1", - "id": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "id": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-10-02T14:34:35.000Z", "modified": "2022-10-28T11:26:39.000Z", - "name": "Images from a private registry", - "description": "The images that are running in the cluster can be stored in a private registry. For pulling those images, the container runtime engine (such as Docker or containerd) needs to have valid credentials to those registries. If the registry is hosted by the cloud provider, in services like Azure Container Registry (ACR) or Amazon Elastic Container Registry (ECR), cloud credentials are used to authenticate to the registry. If attackers get access to the cluster, in some cases they can obtain access to the private registry and pull its images. For example, attackers can use the managed identity token as described in the \u201cAccess managed identity credential\u201d technique. Similarly, in EKS, attackers can use the AmazonEC2ContainerRegistryReadOnly policy that is bound by default to the node\u2019s IAM role.", + "name": "Denial of service", + "description": "Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.", "kill_chain_phases": [ { "kill_chain_name": "tmfk", - "phase_name": "collection" + "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "tmfk", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Images%20from%20a%20private%20registry", - "external_id": "MS-TA9037" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service", + "external_id": "MS-TA9040" } ], "x_mitre_domains": [ @@ -2478,7 +2437,8 @@ ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_ids": [ - "T1530" + "T1498", + "T1499" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -2487,100 +2447,72 @@ "x_mitre_version": "1.0" }, { - "type": "course-of-action", + "type": "attack-pattern", "spec_version": "2.1", - "id": "course-of-action--ac59938a-311a-4b1d-ab0d-ca2d475e284c", - "created": "2024-05-08T15:22:56.105508Z", - "modified": "2024-05-08T15:22:56.105508Z", - "name": "Restrict the usage of unauthenticated APIs in the cluster", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", - "external_references": [ + "id": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-02T14:34:35.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "name": "Application credentials in configuration files", + "description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.\n\nUsing those credentials attackers may gain access to additional resources inside and outside the cluster.", + "kill_chain_phases": [ { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", - "external_id": "MS-M9021" + "kill_chain_name": "tmfk", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "tmfk", + "phase_name": "lateral-movement" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--684df523-a6e2-4963-b89c-12e3c6a59b77", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.105747Z", - "modified": "2024-05-08T15:22:56.105747Z", - "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ac59938a-311a-4b1d-ab0d-ca2d475e284c", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "tmfk" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--e1617893-3f7b-4be8-ad56-893bfa3759cd", - "created": "2024-05-08T15:22:56.107717Z", - "modified": "2024-05-08T15:22:56.107717Z", - "name": "Use CNIs that are not prone to ARP poisoning", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", + "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", - "external_id": "MS-M9028" + "source_name": "tmfk", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files", + "external_id": "MS-TA9027" } - ] - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--a505b3a7-d08a-4407-85a4-3cb849dd80c4", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.107829Z", - "modified": "2024-05-08T15:22:56.107829Z", - "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", - "relationship_type": "mitigates", - "source_ref": "course-of-action--e1617893-3f7b-4be8-ad56-893bfa3759cd", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", - "x_mitre_attack_spec_version": "2.1.0", + ], "x_mitre_domains": [ "tmfk" ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "x_mitre_ids": [ + "T1552" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Kubernetes" + ], + "x_mitre_version": "1.0" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "created": "2024-05-08T15:22:56.110187Z", - "modified": "2024-05-08T15:22:56.110187Z", - "name": "Allocate specific identities to pods", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", + "id": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "created": "2024-05-15T03:39:49.593404Z", + "modified": "2024-05-15T03:39:49.593404Z", + "name": "Ensure that pods meet defined Pod Security Standards", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", - "external_id": "MS-M9019" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", + "external_id": "MS-M9017" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--dddf5766-1f08-477d-bbde-0edb594df29f", + "id": "relationship--1cee926a-5ce2-4ac5-941a-de6484007cc7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.110305Z", - "modified": "2024-05-08T15:22:56.110305Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2591,14 +2523,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bd30de10-b0a9-4286-a31d-7c1cbd369f96", + "id": "relationship--2d6ddaf0-a928-43a2-a610-9bf62c1ed0a4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.110386Z", - "modified": "2024-05-08T15:22:56.110386Z", - "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", "relationship_type": "mitigates", - "source_ref": "course-of-action--4b77406c-6862-489f-b6a4-5d9da04bf053", - "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", + "source_ref": "course-of-action--55d8b50b-d044-4a03-b1ef-6553f3aed34d", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2609,30 +2541,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--0e1a91ca-6129-4b7e-9b05-1d3004500999", - "created": "2024-05-08T15:22:56.112317Z", - "modified": "2024-05-08T15:22:56.112317Z", - "name": "Avoid using plain text credentials", - "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "id": "course-of-action--520d4254-ebd3-49e1-984f-dcf2ace87a9e", + "created": "2024-05-15T03:39:49.632956Z", + "modified": "2024-05-15T03:39:49.632956Z", + "name": "Implement data backup strategy", + "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", - "external_id": "MS-M9026" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", + "external_id": "MS-M9031" } + ], + "x_mitre_ids": [ + "M1053" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c38f19cf-a229-47ab-87b1-3b3473b023db", + "id": "relationship--f8705584-7dfe-4e53-87ce-8e4e0c99cbc0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.112428Z", - "modified": "2024-05-08T15:22:56.112428Z", - "description": "Avoid using plain text credentials in configuration files", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Take and store data backups from pod mounted volumes for critical workloads", "relationship_type": "mitigates", - "source_ref": "course-of-action--0e1a91ca-6129-4b7e-9b05-1d3004500999", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--520d4254-ebd3-49e1-984f-dcf2ace87a9e", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2643,30 +2578,48 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--c1159ee6-af84-4a56-a3fd-57359b498f9e", - "created": "2024-05-08T15:22:56.114624Z", - "modified": "2024-05-08T15:22:56.114624Z", - "name": "Enable Just In Time access to API server", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "id": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "created": "2024-05-15T03:39:49.656588Z", + "modified": "2024-05-15T03:39:49.656588Z", + "name": "Restrict exec commands on pods", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", - "external_id": "MS-M9006" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", + "external_id": "MS-M9010" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f339094b-0181-402c-b8b1-dc0abecc1376", + "id": "relationship--f3767923-01f7-4810-9ba1-9cc0032da723", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.114727Z", - "modified": "2024-05-08T15:22:56.114727Z", - "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--c1159ee6-af84-4a56-a3fd-57359b498f9e", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "tmfk" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--997ff777-3194-44ff-98c2-52918448ea32", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", + "relationship_type": "mitigates", + "source_ref": "course-of-action--778d7e0c-c593-49b9-bcd7-d16b78004eb5", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2677,9 +2630,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--79053c9f-34ea-444f-8e97-827c60881e51", - "created": "2024-05-08T15:22:56.116769Z", - "modified": "2024-05-08T15:22:56.116769Z", + "id": "course-of-action--d19bd228-4302-4497-b3d5-65fe23c217e1", + "created": "2024-05-15T03:39:49.692338Z", + "modified": "2024-05-15T03:39:49.692338Z", "name": "Restrict access to etcd", "description": "Access to etcd should be limited to the Kubernetes control plane only. Depending on your configuration, you should attempt to use etcd over TLS. This mitigation is relevant only to non-managed Kubernetes environment, as access to etcd in cloud managed clusters is already restricted.", "external_references": [ @@ -2696,13 +2649,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d4dd453f-66ce-42f0-816e-bdad2c1dd18e", + "id": "relationship--52acb074-9e6c-462b-9f68-b2daead4febd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.116875Z", - "modified": "2024-05-08T15:22:56.116875Z", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Access to etcd should be limited to the Kubernetes control plane only", "relationship_type": "mitigates", - "source_ref": "course-of-action--79053c9f-34ea-444f-8e97-827c60881e51", + "source_ref": "course-of-action--d19bd228-4302-4497-b3d5-65fe23c217e1", "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2714,48 +2667,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "created": "2024-05-08T15:22:56.119383Z", - "modified": "2024-05-08T15:22:56.119383Z", - "name": "Ensure that pods meet defined Pod Security Standards", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.", + "id": "course-of-action--c3ebbc7f-5b27-4a32-9612-81af964e1fa6", + "created": "2024-05-15T03:39:49.713824Z", + "modified": "2024-05-15T03:39:49.713824Z", + "name": "Use CNIs that are not prone to ARP poisoning", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning. This allows pods to impersonate other pods in the cluster.\nUse alternative CNIs that are not prone to ARP poisoning in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9017%20Ensure%20that%20pods%20meet%20defined%20Pod%20Security%20Standards/", - "external_id": "MS-M9017" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9028%20Use%20CNIs%20that%20are%20not%20prone%20to%20ARP%20poisoning/", + "external_id": "MS-M9028" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0c551a23-0a7b-41de-bffd-a19e4ecee79e", - "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.119488Z", - "modified": "2024-05-08T15:22:56.119488Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", - "relationship_type": "mitigates", - "source_ref": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_domains": [ - "tmfk" - ], - "x_mitre_version": "0.1", - "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" - }, - { - "type": "relationship", - "spec_version": "2.1", - "id": "relationship--0b914519-e08f-4e56-9a68-a9cebb1c1d4a", + "id": "relationship--05af345e-2386-45e6-9b5f-b42a7e3f963b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.119567Z", - "modified": "2024-05-08T15:22:56.119567Z", - "description": "The Pod Security Standards define three different policies to broadly cover the security spectrum", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-25T08:08:39.000Z", + "description": "Kubernetes default CNI (Kubenet) is prone to ARP poisoning", "relationship_type": "mitigates", - "source_ref": "course-of-action--770f2953-0263-4408-a0b2-6cda1c0d3205", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--c3ebbc7f-5b27-4a32-9612-81af964e1fa6", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2766,32 +2701,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "created": "2024-05-08T15:22:56.122732Z", - "modified": "2024-05-08T15:22:56.122732Z", - "name": "Restricting cloud metadata API access", - "description": "", + "id": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", + "created": "2024-05-15T03:39:49.738357Z", + "modified": "2024-05-15T03:39:49.738357Z", + "name": "Allocate specific identities to pods", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity. This prevents other pods from accessing cloud identities that are not necessary for their operation. The features that implement this separation are: Azure AD Pod Identity (AKS), Azure AD Workload identity (AKS), IRSA (EKS) and GCP Workload Identity (GCP).", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", - "external_id": "MS-M9018" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9019%20Allocate%20specific%20identities%20to%20pods/", + "external_id": "MS-M9019" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7bbe05c2-60af-4088-ace6-94f4f071df19", + "id": "relationship--21b8bc42-4f8b-48d4-bd6a-6d167c6bc3cb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.122846Z", - "modified": "2024-05-08T15:22:56.122846Z", - "description": "", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", + "source_ref": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2803,13 +2735,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2d8245fd-ef52-41a9-a4ae-5aaa3921aefe", + "id": "relationship--e87cab35-468b-46bc-a7ed-7378ec79c528", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.122926Z", - "modified": "2024-05-08T15:22:56.122926Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "When needed, allocate dedicated cloud identity per pod with minimal permissions, instead of inheriting the node\u2019s cloud identity", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", + "source_ref": "course-of-action--87f133cb-179a-4f4c-ace0-304ce900b0c6", "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2818,17 +2750,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--68fb6dea-250a-4980-b700-68e3d476fc53", + "created": "2024-05-15T03:39:49.775718Z", + "modified": "2024-05-15T03:39:49.775718Z", + "name": "Use NodeRestriction admission controller", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", + "external_id": "MS-M9027" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--45d6494c-98b2-4720-9f60-0fd0f7c98726", + "id": "relationship--127a742e-4abb-4be2-8647-d6db0955fed0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.123003Z", - "modified": "2024-05-08T15:22:56.123003Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", + "source_ref": "course-of-action--68fb6dea-250a-4980-b700-68e3d476fc53", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2836,17 +2784,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--f1c844f3-f0df-45c8-8977-1e83897a490f", + "created": "2024-05-15T03:39:49.794023Z", + "modified": "2024-05-15T03:39:49.794023Z", + "name": "Network intrusion prevention", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", + "external_id": "MS-M9007" + } + ], + "x_mitre_ids": [ + "M1031" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--90f62dcd-d7e7-44e3-b445-5a642f5de126", + "id": "relationship--1d3d2200-a69d-492a-8e8e-da998e38b52b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.123072Z", - "modified": "2024-05-08T15:22:56.123072Z", - "description": "", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--9e37ad64-5cc7-410b-a550-b9c1590c6283", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--f1c844f3-f0df-45c8-8977-1e83897a490f", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2857,33 +2824,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "created": "2024-05-08T15:22:56.15468Z", - "modified": "2024-05-08T15:22:56.15468Z", - "name": "Adhere to least-privilege principle", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "id": "course-of-action--c78016d9-1088-4355-9c07-15afa17c30ba", + "created": "2024-05-15T03:39:49.806472Z", + "modified": "2024-05-15T03:39:49.806472Z", + "name": "Disable service account auto mount", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", - "external_id": "MS-M9003" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", + "external_id": "MS-M9025" } - ], - "x_mitre_ids": [ - "M1018" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b44efe83-3469-4a9c-b8c6-53b874056843", + "id": "relationship--7f80fc51-faa5-449a-8795-77b1d7d38249", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.15482Z", - "modified": "2024-05-08T15:22:56.15482Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--c78016d9-1088-4355-9c07-15afa17c30ba", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2891,16 +2855,32 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--bd8a1f81-5681-4b09-86a3-60e4a1339332", + "created": "2024-05-15T03:39:49.822823Z", + "modified": "2024-05-15T03:39:49.822823Z", + "name": "Enable Just In Time access to API server", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control-plane level. Therefore, even if attackers have access to an account credentials, their access to the cluster is limited.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9006%20Enable%20Just%20In%20Time%20access%20to%20API%20server/", + "external_id": "MS-M9006" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--23143241-f6d3-42a0-9469-53edf84f0e0f", + "id": "relationship--53dd1c67-71fc-4966-80b4-e77583e2ef8e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.154905Z", - "modified": "2024-05-08T15:22:56.154905Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-27T17:00:14.000Z", + "description": "Employing Just In Time (JIT) elevated access to Kubernetes API server helps reduce the attack surface to the API server by compromised accounts by allowing access only at specific times, and through a governed escalation process", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--bd8a1f81-5681-4b09-86a3-60e4a1339332", "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2909,16 +2889,35 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "created": "2024-05-15T03:39:49.856437Z", + "modified": "2024-05-15T03:39:49.856437Z", + "name": "Restrict over permissive containers", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", + "external_id": "MS-M9013" + } + ], + "x_mitre_ids": [ + "M1038" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--848b4d5c-90d1-4482-b251-adcc7cc17891", + "id": "relationship--9372f1ae-40cc-4952-bbcf-f22b89a372bd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.154975Z", - "modified": "2024-05-08T15:22:56.154975Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2930,13 +2929,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--72c5ef65-0a46-48f0-90bd-7fa8eb3b1939", + "id": "relationship--15ac3b60-3bd6-4381-ad36-9160702e746b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.15504Z", - "modified": "2024-05-08T15:22:56.15504Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2948,13 +2947,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5ba9c263-a863-4192-beed-f1e9ed42674f", + "id": "relationship--bf5f4a2f-14dc-409c-b93c-364111d0dbc6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155104Z", - "modified": "2024-05-08T15:22:56.155104Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -2966,14 +2965,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d1b623d5-b933-441d-8894-22bd5dd44117", + "id": "relationship--e2954083-f170-4032-9f0a-3a13f8d55b7c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155171Z", - "modified": "2024-05-08T15:22:56.155171Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -2984,14 +2983,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--efb0998c-99dd-44a1-944b-da25cbb9bea2", + "id": "relationship--d99027db-b6c3-4e63-bf38-8c2c32ee4bd6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155238Z", - "modified": "2024-05-08T15:22:56.155238Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3002,14 +3001,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--cf9f87de-2a3b-46fc-84ef-4e925923b5e4", + "id": "relationship--23b37f44-775f-4c0e-b631-b1f423a6a60f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155302Z", - "modified": "2024-05-08T15:22:56.155302Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3020,13 +3019,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2d46b6e7-1230-4faf-a8ad-e12235ee7ea4", + "id": "relationship--7b499331-659d-4d8a-849f-a79df719852e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155365Z", - "modified": "2024-05-08T15:22:56.155365Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3038,14 +3037,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--72a148ee-50f9-4e3b-a937-3c08256b1ed7", + "id": "relationship--4861b510-27a7-413a-91a6-80952fb4f1f2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155432Z", - "modified": "2024-05-08T15:22:56.155432Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3056,14 +3055,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bd7dbd2b-a07e-4bf9-a4c8-beb6f5c2dd50", + "id": "relationship--a4bad130-89bb-4d8b-b2cb-a102501a7806", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155493Z", - "modified": "2024-05-08T15:22:56.155493Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-12-05T07:54:00.000Z", + "modified": "2022-12-05T07:54:00.000Z", + "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--2ff9263e-b450-4761-bdef-1014ab8df44e", + "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3071,17 +3070,37 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "created": "2024-05-15T03:39:49.989843Z", + "modified": "2024-05-15T03:39:49.989843Z", + "name": "Restrict container runtime using LSM", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", + "external_id": "MS-M9011" + } + ], + "x_mitre_ids": [ + "M1038", + "M1040" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7478fe08-c216-44bf-bede-f13f941b7f29", + "id": "relationship--c2bf159f-3b91-4a6e-8604-1e818d992b4e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155554Z", - "modified": "2024-05-08T15:22:56.155554Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3092,14 +3111,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--78717954-c8b0-4282-81cc-2c85a049a449", + "id": "relationship--4d3608f4-edbb-406d-a903-7f4f1ecad5db", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155617Z", - "modified": "2024-05-08T15:22:56.155617Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3110,14 +3129,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--844c1b1d-3cee-4c6b-a27f-1c1733704dfa", + "id": "relationship--17ebe0b8-ba9b-4a92-9093-dbda15d80621", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155679Z", - "modified": "2024-05-08T15:22:56.155679Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3128,14 +3147,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f00a996f-9c64-4ef1-8c93-0e9f5d93c836", + "id": "relationship--aa539a34-7282-4f93-a201-880603aa7e5c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.15574Z", - "modified": "2024-05-08T15:22:56.15574Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3146,14 +3165,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--68813965-9188-431b-918d-fb91ca2f1f06", + "id": "relationship--bc844fa6-71ac-4b9d-a831-dc67509f5af1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.1558Z", - "modified": "2024-05-08T15:22:56.1558Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3164,14 +3183,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--32f00bea-6a7d-4c35-9fce-42afca7ede41", + "id": "relationship--ae4cd2da-2261-4ec5-be1f-74e48e3d12c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155861Z", - "modified": "2024-05-08T15:22:56.155861Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3182,14 +3201,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5f338d5a-3d04-46a2-8baa-a29a3d60567b", + "id": "relationship--e57186e7-9fee-4ab1-b016-d1451f52fea0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155922Z", - "modified": "2024-05-08T15:22:56.155922Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--2a25aaa2-136a-4a58-b1de-d1fd0cac5173", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3197,17 +3216,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--e2750236-3a09-4c64-97f4-8105d08d773c", + "created": "2024-05-15T03:39:50.110727Z", + "modified": "2024-05-15T03:39:50.110727Z", + "name": "Restrict the usage of unauthenticated APIs in the cluster", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server. Make sure that the Kubernetes API is configured properly, and authentication and authorization mechanisms are set.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9021%20Restrict%20the%20usage%20of%20unauthenticated%20APIs%20in%20the%20cluster/", + "external_id": "MS-M9021" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3695fbaa-c940-4482-8d6f-1857521374f4", + "id": "relationship--f379373c-8822-4c48-8911-210df5418bb5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.155983Z", - "modified": "2024-05-08T15:22:56.155983Z", - "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Some unmanaged clusters are misconfigured such as anonymous access is accepted by the Kubernetes API server", "relationship_type": "mitigates", - "source_ref": "course-of-action--35473f60-00ab-40b6-9d61-b20367f901e3", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--e2750236-3a09-4c64-97f4-8105d08d773c", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3218,33 +3253,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "created": "2024-05-08T15:22:56.159781Z", - "modified": "2024-05-08T15:22:56.159781Z", - "name": "Network segmentation", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", + "id": "course-of-action--51d41dfb-5f49-477a-8377-b0e534432991", + "created": "2024-05-15T03:39:50.135881Z", + "modified": "2024-05-15T03:39:50.135881Z", + "name": "Avoid running management interface on containers", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", - "external_id": "MS-M9014" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", + "external_id": "MS-M9015" } ], "x_mitre_ids": [ - "M1030" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--591612f8-a5a7-4161-861b-64693ee49557", + "id": "relationship--260fd263-0f63-486c-85f2-73d603efc5b8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.159973Z", - "modified": "2024-05-08T15:22:56.159973Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--51d41dfb-5f49-477a-8377-b0e534432991", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3252,17 +3287,33 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--a09ce953-17ee-47bb-b2d0-9338767d0d4d", + "created": "2024-05-15T03:39:50.165211Z", + "modified": "2024-05-15T03:39:50.165211Z", + "name": "Avoid using plain text credentials", + "description": "Avoid using plain text credentials in configuration files. Use Kubernetes secrets or cloud secret store instead. This prevents unwanted access to plaintext credentials in source code, configuration files and Kubernetes objects.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9026%20Avoid%20using%20plain%20text%20credentials/", + "external_id": "MS-M9026" + } + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2adc1cb3-3614-410c-b549-1c81de3ea1b2", + "id": "relationship--f43769b5-3a95-4bee-a453-bb8665c264d7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160056Z", - "modified": "2024-05-08T15:22:56.160056Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Avoid using plain text credentials in configuration files", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--a09ce953-17ee-47bb-b2d0-9338767d0d4d", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3270,17 +3321,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--925b3e24-eb25-4c68-b3fe-2165d14d96a6", + "created": "2024-05-15T03:39:50.191364Z", + "modified": "2024-05-15T03:39:50.191364Z", + "name": "Limit access to services over network", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", + "external_id": "MS-M9008" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--30d2e91b-ae8e-4886-a605-d61f12904201", + "id": "relationship--b444a265-fde8-4492-8318-3899451a74d6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160125Z", - "modified": "2024-05-08T15:22:56.160125Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--925b3e24-eb25-4c68-b3fe-2165d14d96a6", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3288,17 +3358,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "created": "2024-05-15T03:39:50.211723Z", + "modified": "2024-05-15T03:39:50.211723Z", + "name": "Collect logs to remote data storage", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", + "external_id": "MS-M9020" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--c3bb518a-5b52-4b31-b78f-f5fcc949736c", + "id": "relationship--218b9d58-20b0-4ce4-844e-0118e8d99774", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160193Z", - "modified": "2024-05-08T15:22:56.160193Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3309,14 +3398,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ee884f9c-ff11-41ae-88e0-3b01b047640c", + "id": "relationship--e4ef9577-a365-410d-8364-d0bb066f42bf", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160265Z", - "modified": "2024-05-08T15:22:56.160265Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "source_ref": "course-of-action--e8251e81-f825-4987-b384-ff1aca09a7a5", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3324,17 +3413,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "created": "2024-05-15T03:39:50.25828Z", + "modified": "2024-05-15T03:39:50.25828Z", + "name": "Restricting cloud metadata API access", + "description": "", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9018%20Restricting%20cloud%20metadata%20API%20access/", + "external_id": "MS-M9018" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1dd70791-0859-4bd6-97de-c0db2e34beb2", + "id": "relationship--c5ee99c3-a3f5-48c3-b3cc-e016aaad30f3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160332Z", - "modified": "2024-05-08T15:22:56.160332Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3345,14 +3453,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--23432974-c2b0-4a4f-a61a-464032513031", + "id": "relationship--fb36acc7-8b7c-4be6-a6dd-58ef99e8a4d1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.160398Z", - "modified": "2024-05-08T15:22:56.160398Z", - "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--55a99025-850c-4827-8b07-914552199b36", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--7d9a80c5-d550-4335-bccc-caacbdda36d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3360,37 +3468,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "created": "2024-05-08T15:22:56.164478Z", - "modified": "2024-05-08T15:22:56.164478Z", - "name": "Restrict container runtime using LSM", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9011%20Restrict%20container%20runtime%20using%20LSM/", - "external_id": "MS-M9011" - } - ], - "x_mitre_ids": [ - "M1038", - "M1040" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9084a585-125b-48a8-b5c5-253fe50cd45f", + "id": "relationship--51aea02b-f08b-4911-a7b3-3c615012e191", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164583Z", - "modified": "2024-05-08T15:22:56.164583Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--e9129bb6-deab-4764-b35b-e986640970c3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3401,14 +3489,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--eba9530a-3b27-4aac-9fb3-af44b91370ea", + "id": "relationship--88e2fc55-9489-4b4e-adb2-fd4c703be960", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.16466Z", - "modified": "2024-05-08T15:22:56.16466Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--aac84edd-fdfd-496f-86f6-a2928fed9718", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3416,17 +3504,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "created": "2024-05-15T03:39:50.34653Z", + "modified": "2024-05-15T03:39:50.34653Z", + "name": "Restrict access to the API server using IP firewall", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", + "external_id": "MS-M9002" + } + ], + "x_mitre_ids": [ + "M1035" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--7fce2c6d-7b4f-4a73-a763-5eb8c1ce476b", + "id": "relationship--395815eb-8041-4873-9b8b-8d2bbbe09e9b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164731Z", - "modified": "2024-05-08T15:22:56.164731Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3437,14 +3544,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--0ccf0337-e389-4e82-86c7-c3f3d6d715d8", + "id": "relationship--d4fb6853-ce8f-4ad3-891c-75c5f5185be9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164799Z", - "modified": "2024-05-08T15:22:56.164799Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3455,14 +3562,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--efec075f-2e2a-4a46-8c3b-87f79852ac4b", + "id": "relationship--575c4dfa-84f1-4f4b-97c0-562c4be5ab79", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164866Z", - "modified": "2024-05-08T15:22:56.164866Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3473,14 +3580,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a13556e9-ad9f-45a9-a3f1-af748f1fb09e", + "id": "relationship--548c7c7c-30f8-454f-bc8a-162262415b42", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.164933Z", - "modified": "2024-05-08T15:22:56.164933Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3491,13 +3598,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b9124650-895d-4271-9829-08710a1c3377", + "id": "relationship--f21d594d-a2c4-465f-9363-cb6f8cd513d0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.165Z", - "modified": "2024-05-08T15:22:56.165Z", - "description": "Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--d8394e32-01b5-4447-a9cb-c98059a7a24b", + "source_ref": "course-of-action--bcdd9ff5-fc8c-4fa8-91f1-69e8dbf064d9", "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3509,30 +3616,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--a1b1f3b9-26b7-47cf-b212-79fbf0f75fde", - "created": "2024-05-08T15:22:56.166862Z", - "modified": "2024-05-08T15:22:56.166862Z", - "name": "Set requests and limits for containers", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", + "id": "course-of-action--911f0f2c-0be0-40bb-95e3-f6b9c200a9eb", + "created": "2024-05-15T03:39:50.432865Z", + "modified": "2024-05-15T03:39:50.432865Z", + "name": "Use cloud storage provider", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", - "external_id": "MS-M9029" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", + "external_id": "MS-M9030" } ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2f2ad783-e5f7-49fc-948b-61f03ce598b5", + "id": "relationship--052962f9-6bac-4e77-be11-b0a77cf325f8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.166947Z", - "modified": "2024-05-08T15:22:56.166947Z", - "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", "relationship_type": "mitigates", - "source_ref": "course-of-action--a1b1f3b9-26b7-47cf-b212-79fbf0f75fde", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--911f0f2c-0be0-40bb-95e3-f6b9c200a9eb", + "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3543,30 +3650,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "created": "2024-05-08T15:22:56.169861Z", - "modified": "2024-05-08T15:22:56.169861Z", - "name": "Require strong authentication to services", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", + "id": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "created": "2024-05-15T03:39:50.450136Z", + "modified": "2024-05-15T03:39:50.450136Z", + "name": "Restrict file and directory permissions", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", - "external_id": "MS-M9009" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", + "external_id": "MS-M9016" } + ], + "x_mitre_ids": [ + "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--480263be-2153-4749-9148-70164682e46d", + "id": "relationship--5296d9e7-1a11-4bca-8eeb-f8449e39a4d6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.16995Z", - "modified": "2024-05-08T15:22:56.16995Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3577,14 +3687,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f63fa307-e4f1-4d4b-9135-486454913410", + "id": "relationship--ab838d60-4c41-4293-b77c-09e4a4a9cd62", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.17002Z", - "modified": "2024-05-08T15:22:56.17002Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T12:26:46.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3595,14 +3705,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--37386587-467b-4334-877a-57a33828a55e", + "id": "relationship--cedd7e41-7f86-4ae8-b52e-c18069ed209e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.170088Z", - "modified": "2024-05-08T15:22:56.170088Z", - "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--a22d0e88-9fb6-4728-adea-52d9f279641e", - "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", + "source_ref": "course-of-action--d59e0361-e023-4e3b-bd6a-374da2266736", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3613,33 +3723,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "created": "2024-05-08T15:22:56.172279Z", - "modified": "2024-05-08T15:22:56.172279Z", - "name": "Use managed secret store", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "id": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "created": "2024-05-15T03:39:50.500751Z", + "modified": "2024-05-15T03:39:50.500751Z", + "name": "Remove tools from container images", + "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", - "external_id": "MS-M9022" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", + "external_id": "MS-M9012" } ], "x_mitre_ids": [ - "M1029" + "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--f74b5496-c7e5-4aa7-be3a-0d16d161bda1", + "id": "relationship--120b8e99-ff14-49c3-8d60-3afb877a2705", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.172377Z", - "modified": "2024-05-08T15:22:56.172377Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3650,14 +3760,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bc614ef9-78dd-40f2-ab07-c7c9e12b963f", + "id": "relationship--be9f0971-16e6-4067-b560-085cae7145f0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.172455Z", - "modified": "2024-05-08T15:22:56.172455Z", - "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Attackers often use built-in executables to run their malicious code", "relationship_type": "mitigates", - "source_ref": "course-of-action--8bdb3ec1-eb93-47fd-ac6f-f5b24134a5cf", - "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", + "source_ref": "course-of-action--1b4c4c3f-d97d-4478-b5c8-146d6464ee4e", + "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3668,30 +3778,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--b2f07c19-8b55-48bf-9542-2b6fc552e8ef", - "created": "2024-05-08T15:22:56.174374Z", - "modified": "2024-05-08T15:22:56.174374Z", - "name": "Use cloud storage provider", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data. Kubernetes integrates with all main cloud provider storage services as storage providers for pod volumes. This allows leveraging cloud storage capabilities such as backup and snapshots.", + "id": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "created": "2024-05-15T03:39:50.549988Z", + "modified": "2024-05-15T03:39:50.549988Z", + "name": "Network segmentation", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\\egress traffic to\\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9030%20Use%20cloud%20storage%20provider/", - "external_id": "MS-M9030" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9014%20Network%20segmentation/", + "external_id": "MS-M9014" } + ], + "x_mitre_ids": [ + "M1030" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d077a740-aa3c-438f-9b15-6293a1da5bcf", + "id": "relationship--fc44ddb8-eb0c-4d96-abb0-547f3aad03bb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.174484Z", - "modified": "2024-05-08T15:22:56.174484Z", - "description": "Use cloud storage services, such as Azure Files, for storing the application\u2019s data", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--b2f07c19-8b55-48bf-9542-2b6fc552e8ef", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3699,36 +3812,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--e97e7d91-2157-455c-8735-e8b923c89674", - "created": "2024-05-08T15:22:56.176356Z", - "modified": "2024-05-08T15:22:56.176356Z", - "name": "Implement data backup strategy", - "description": "Take and store data backups from pod mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9031%20Implement%20data%20backup%20strategy/", - "external_id": "MS-M9031" - } - ], - "x_mitre_ids": [ - "M1053" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d8a67cab-2aec-4885-b4b5-65caed8d3bc1", + "id": "relationship--dc579813-666e-4365-851b-357b41ee17fc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.176459Z", - "modified": "2024-05-08T15:22:56.176459Z", - "description": "Take and store data backups from pod mounted volumes for critical workloads", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--e97e7d91-2157-455c-8735-e8b923c89674", - "target_ref": "attack-pattern--8e4e321e-09f1-4832-bc8c-265081bfd5fa", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3736,36 +3830,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--2ac38e43-d1e4-42a7-9200-3c66b2a14f2a", - "created": "2024-05-08T15:22:56.178317Z", - "modified": "2024-05-08T15:22:56.178317Z", - "name": "Multi-factor authentication", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", - "external_id": "MS-M9001" - } - ], - "x_mitre_ids": [ - "M1032" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1490c81e-60bf-4e7a-91de-082c18d8c07b", + "id": "relationship--0ecd2aca-11a3-4f9f-9bbd-ce78673bdd11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.178441Z", - "modified": "2024-05-08T15:22:56.178441Z", - "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--2ac38e43-d1e4-42a7-9200-3c66b2a14f2a", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3773,32 +3848,16 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--43c3ee3b-415b-42f4-9196-a75c08ef951a", - "created": "2024-05-08T15:22:56.180191Z", - "modified": "2024-05-08T15:22:56.180191Z", - "name": "Use NodeRestriction admission controller", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node. This may limit attackers who have access to the Kubelet API from gaining full control over the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9027%20Use%20NodeRestriction%20admission%20controller/", - "external_id": "MS-M9027" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--90678f01-47c5-4838-98e7-d01eebfa0d28", + "id": "relationship--c59e7256-0fa5-478e-8597-e4116c67d234", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.180298Z", - "modified": "2024-05-08T15:22:56.180298Z", - "description": "NodeRestriction admission controller limits the permissions of kubelet and allows it to modify only its own Node object and only the pods that are running on its own node", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--43c3ee3b-415b-42f4-9196-a75c08ef951a", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -3808,32 +3867,34 @@ "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { - "type": "course-of-action", + "type": "relationship", "spec_version": "2.1", - "id": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "created": "2024-05-08T15:22:56.182403Z", - "modified": "2024-05-08T15:22:56.182403Z", - "name": "Restrict exec commands on pods", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9010%20Restrict%20exec%20commands%20on%20pods/", - "external_id": "MS-M9010" - } - ] + "id": "relationship--59fe1010-17ca-46e4-86b4-82a6507c0274", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", + "relationship_type": "mitigates", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--630885cf-1204-4056-99cf-b2c44e5f0b66", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "tmfk" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--cd35cbd7-4b93-4b58-a07e-365899f9f6e3", + "id": "relationship--74740cef-789c-419b-8ef4-be1b91411f77", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.182509Z", - "modified": "2024-05-08T15:22:56.182509Z", - "description": "", + "created": "2022-10-31T06:43:11.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3844,14 +3905,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d0a52dac-8d12-4cea-8907-3214a272ce87", + "id": "relationship--33e1bea6-768f-44bf-9fcb-8d1e3907ef2a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.182588Z", - "modified": "2024-05-08T15:22:56.182588Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-31T06:43:11.000Z", + "description": "Restrict inbound and outbound network traffic of the pods in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--2c463ce1-a490-4348-a13a-6cb692ccc688", - "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", + "source_ref": "course-of-action--dec10eb4-b95f-4a77-a339-fa021cf4a899", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3862,30 +3923,33 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--12809894-059a-4bb9-a7c3-37c64de36bd5", - "created": "2024-05-08T15:22:56.184338Z", - "modified": "2024-05-08T15:22:56.184338Z", - "name": "Avoid using web-hosted manifest for Kubelet", - "description": "", + "id": "course-of-action--1e89ed15-2cc3-4559-b971-727257bb3468", + "created": "2024-05-15T03:39:50.684929Z", + "modified": "2024-05-15T03:39:50.684929Z", + "name": "Multi-factor authentication", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials. This can reduce the risk in case an adversary achieved valid credentials to an account that has permissions to the Kubernetes cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", - "external_id": "MS-M9032" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9001%20Multi-factor%20authentication/", + "external_id": "MS-M9001" } + ], + "x_mitre_ids": [ + "M1032" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b732d3c6-24e8-47ec-b8ba-3824fad3561d", + "id": "relationship--ca42a472-3bf3-4e21-ad6f-b30c421c39a3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.184502Z", - "modified": "2024-05-08T15:22:56.184502Z", - "description": "", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Using multi-factor authentication for accounts can prevent unauthorized access in case an adversary achieves access to the account credentials", "relationship_type": "mitigates", - "source_ref": "course-of-action--12809894-059a-4bb9-a7c3-37c64de36bd5", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--1e89ed15-2cc3-4559-b971-727257bb3468", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3896,33 +3960,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "created": "2024-05-08T15:22:56.187533Z", - "modified": "2024-05-08T15:22:56.187533Z", - "name": "Restrict access to the API server using IP firewall", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster.\nIn managed clusters, cloud providers often support native built-in firewall which can restrict the IP addresses that are allowed to access the API server.", + "id": "course-of-action--88846ecd-3066-403b-ae1e-14990aec7b89", + "created": "2024-05-15T03:39:50.708572Z", + "modified": "2024-05-15T03:39:50.708572Z", + "name": "Set requests and limits for containers", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9002%20Restrict%20access%20to%20the%20API%20server%20using%20IP%20firewall/", - "external_id": "MS-M9002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9029%20Set%20requests%20and%20limits%20for%20containers/", + "external_id": "MS-M9029" } - ], - "x_mitre_ids": [ - "M1035" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1d4b575d-5a95-4894-9d35-3b1abcb99dbd", + "id": "relationship--a8a8174f-cace-4014-8ba5-19ac6405fd6d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187631Z", - "modified": "2024-05-08T15:22:56.187631Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-25T10:05:08.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Set requests and limits for each container to avoid resource contention and DoS attacks", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", + "source_ref": "course-of-action--88846ecd-3066-403b-ae1e-14990aec7b89", + "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3930,17 +3991,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "created": "2024-05-15T03:39:50.779693Z", + "modified": "2024-05-15T03:39:50.779693Z", + "name": "Adhere to least-privilege principle", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.\n\nIn managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call:/subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential\n\nKubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.\n\nKubernetes project also lists the following recommendations for permissions and role assignment best practices:", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9003%20Adhere%20to%20least-privilege%20principle/", + "external_id": "MS-M9003" + } + ], + "x_mitre_ids": [ + "M1018" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5b895b8e-f2fa-4f83-be17-09f47e8678b9", + "id": "relationship--6439eb96-2128-4a10-bc35-245772507eaa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187712Z", - "modified": "2024-05-08T15:22:56.187712Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--45b8be5d-ed3a-4343-acc1-eb870524bb3e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3951,14 +4031,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--21c02ea0-80b1-43a6-bc0d-cec13a726e09", + "id": "relationship--0099590d-c613-4183-90ef-0677a5cee5e0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187782Z", - "modified": "2024-05-08T15:22:56.187782Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--12be3408-d2ae-4824-8595-5851af05e1a2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3969,14 +4049,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b8010747-c436-4478-ad8a-05aa0d650815", + "id": "relationship--c0a48420-db41-473c-a6c0-1e13a3d10186", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.18785Z", - "modified": "2024-05-08T15:22:56.18785Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -3987,14 +4067,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ec5feb2f-3ba6-430c-8243-a362334423f6", + "id": "relationship--ffc80eef-fce9-4a9c-a6cc-64a06bd04c09", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.187921Z", - "modified": "2024-05-08T15:22:56.187921Z", - "description": "Restricting access to the API server can prevent unwanted access to the clusters management, even if the adversary achieved valid credentials to the cluster", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--ea621114-674b-4aac-886c-994c8da59b20", - "target_ref": "attack-pattern--eaf1bc6e-b4fc-4aa9-9f80-3fea92a93ecd", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4002,36 +4082,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--145627ab-4c2f-4817-9cc7-3541c4b2132d", - "created": "2024-05-08T15:22:56.190096Z", - "modified": "2024-05-08T15:22:56.190096Z", - "name": "Limit access to services over network", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9008%20Limit%20access%20to%20services%20over%20network/", - "external_id": "MS-M9008" - } - ], - "x_mitre_ids": [ - "M1035" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2cdf3dab-2a3c-4a54-86f0-d2dac4ed5caa", + "id": "relationship--5e215619-4747-40ee-b7d8-cb99f43dcc02", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.190183Z", - "modified": "2024-05-08T15:22:56.190183Z", - "description": "Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it", + "created": "2022-10-23T12:48:12.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--145627ab-4c2f-4817-9cc7-3541c4b2132d", - "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4039,36 +4100,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "created": "2024-05-08T15:22:56.194751Z", - "modified": "2024-05-08T15:22:56.194751Z", - "name": "Restrict over permissive containers", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9013%20Restrict%20over%20permissive%20containers/", - "external_id": "MS-M9013" - } - ], - "x_mitre_ids": [ - "M1038" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a146eb92-2664-4266-bcca-296096759948", + "id": "relationship--eff8b137-592b-4e24-b9d0-84d0b4ecd36c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.194859Z", - "modified": "2024-05-08T15:22:56.194859Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4079,14 +4121,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--76f97393-3394-4fc6-96bc-720d3f801545", + "id": "relationship--2ee66121-66fb-4322-bf90-a304269cc9ca", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.194937Z", - "modified": "2024-05-08T15:22:56.194937Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--28c33534-e6aa-4c24-8705-1807ef826a85", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4097,14 +4139,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--65c74fcc-0a2b-48f5-8140-d1724dbc0152", + "id": "relationship--439dbd19-7acb-4f32-ad8c-9cbdfd051ace", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195007Z", - "modified": "2024-05-08T15:22:56.195007Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--06520d74-76ea-48b5-8393-67078311355c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4115,14 +4157,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a4297d46-5ef6-48ee-a7ec-9c81c2104efb", + "id": "relationship--8b515b19-c9dd-4ff8-a0c9-5e8a53b8704e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195074Z", - "modified": "2024-05-08T15:22:56.195074Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4133,14 +4175,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b455b577-b0a4-4b5e-b309-4399ffdb96d8", + "id": "relationship--177ce49d-d707-4a60-8758-3008ca687648", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195142Z", - "modified": "2024-05-08T15:22:56.195142Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4151,14 +4193,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--a3c5cc70-8051-4ee7-9103-8577d26bb3de", + "id": "relationship--1ef5a845-4abd-4dfa-a3fa-07614488bb92", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195207Z", - "modified": "2024-05-08T15:22:56.195207Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4169,14 +4211,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--81017d21-8a48-428c-8c20-7bedbb7c9274", + "id": "relationship--597c4e29-5e2b-413e-85b3-156207c18632", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195273Z", - "modified": "2024-05-08T15:22:56.195273Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--87fd5514-53fb-4aeb-a4e7-4f4f250535af", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4187,14 +4229,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ea7b2c95-feae-4263-8972-1153520e12bb", + "id": "relationship--a17ec211-c097-4b29-b6f3-cf70f2a40917", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195338Z", - "modified": "2024-05-08T15:22:56.195338Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--c555d9ce-16ce-4780-b6d4-3d9dda658ef5", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4205,14 +4247,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d6a40a98-8a52-4531-9c32-a407d8c715dc", + "id": "relationship--6f44a207-12a9-4211-a943-ba64ae52a24f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.195403Z", - "modified": "2024-05-08T15:22:56.195403Z", - "description": "Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--bd39b3ac-7645-4d13-ad6f-1e2973e333cb", - "target_ref": "attack-pattern--09547119-b518-4574-ac5f-176c9378ebe4", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--151100c8-7129-45da-b345-493e8b5b1dc7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4220,33 +4262,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--078074f8-e7ee-4480-adc4-319dd516eeca", - "created": "2024-05-08T15:22:56.197061Z", - "modified": "2024-05-08T15:22:56.197061Z", - "name": "Remove unused secrets from the cluster", - "description": "Remove unused secrets objects from the cluster.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", - "external_id": "MS-M9023" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4a74f882-fc51-4b69-9133-d4d2cdc8cba4", + "id": "relationship--0e71454a-a992-44ae-ae75-a355d6f04b0a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.197159Z", - "modified": "2024-05-08T15:22:56.197159Z", - "description": "Remove unused secrets objects from the cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--078074f8-e7ee-4480-adc4-319dd516eeca", - "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4254,36 +4280,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "created": "2024-05-08T15:22:56.199422Z", - "modified": "2024-05-08T15:22:56.199422Z", - "name": "Collect logs to remote data storage", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion. This can be achieved by various open-source tools such as Fluentd. Also, built-in cloud solutions are available for managed clusters, such as Container Insights and Log Analytics in AKS and Cloud Logging in GKE.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9020%20Collect%20logs%20to%20remote%20data%20storage/", - "external_id": "MS-M9020" - } - ], - "x_mitre_ids": [ - "M1029" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9daf3409-b091-43a4-93fe-00cfede88603", + "id": "relationship--29059bde-e9aa-49d6-afd6-d6aac181369f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.199528Z", - "modified": "2024-05-08T15:22:56.199528Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--f87c703a-3937-483a-8285-eb5cf538b72c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4294,14 +4301,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--971dbbb2-612c-4cab-b442-e50892920edd", + "id": "relationship--1cd92ebc-5be0-4b93-8067-f64d40a8eb37", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.199605Z", - "modified": "2024-05-08T15:22:56.199605Z", - "description": "Collect the Kubernetes and application logs of pods to external data storage to avoid tampering or deletion", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--14ab0198-d01e-4136-8e42-a3c98fe94cc7", - "target_ref": "attack-pattern--c44d516c-5c82-4914-a37a-2aca006d4a14", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--fe4d2ffe-5b17-4a08-8fd4-5f1f1bd36619", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4309,36 +4316,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--c17f9a3f-ef25-4c11-ae3a-37d33049134d", - "created": "2024-05-08T15:22:56.201611Z", - "modified": "2024-05-08T15:22:56.201611Z", - "name": "Network intrusion prevention", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster.\n\nAdapting the network intrusion prevention solution to Kubernetes environment might be needed to route network traffic destined to services through it.\nIn some cases, this will be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic will only come from such an appliance.", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9007%20Network%20intrusion%20prevention/", - "external_id": "MS-M9007" - } - ], - "x_mitre_ids": [ - "M1031" - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--efdd2248-5844-4b83-8b88-ddc9f10e3311", + "id": "relationship--58d81031-aac2-416c-a191-703afb143397", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.201719Z", - "modified": "2024-05-08T15:22:56.201719Z", - "description": "Use intrusion detection signatures and web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--c17f9a3f-ef25-4c11-ae3a-37d33049134d", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--d5984b7c-841e-467b-8f84-781b4add1789", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4346,33 +4334,17 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, - { - "type": "course-of-action", - "spec_version": "2.1", - "id": "course-of-action--16b1618d-8f02-412b-8344-dcc66fafd08f", - "created": "2024-05-08T15:22:56.203489Z", - "modified": "2024-05-08T15:22:56.203489Z", - "name": "Disable service account auto mount", - "description": "", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9025%20Disable%20service%20account%20auto%20mount/", - "external_id": "MS-M9025" - } - ] - }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9d5118f8-227f-4875-b9c1-d45ec317f7e8", + "id": "relationship--0bbe557c-9ac5-4349-bcd5-6ed0df52dfdd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.203589Z", - "modified": "2024-05-08T15:22:56.203589Z", - "description": "", + "created": "2022-10-26T13:06:11.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions", "relationship_type": "mitigates", - "source_ref": "course-of-action--16b1618d-8f02-412b-8344-dcc66fafd08f", - "target_ref": "attack-pattern--803699f9-ecc6-4df1-ba23-39413f2538ee", + "source_ref": "course-of-action--6d1b03cd-a2d5-4c50-b9fb-43f19393e2f1", + "target_ref": "attack-pattern--29acaaf4-cd92-43f7-a6bb-933a172ae52a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4383,9 +4355,9 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--2e0b0daa-c0e9-42c7-807e-6f3fd0872882", - "created": "2024-05-08T15:22:56.205377Z", - "modified": "2024-05-08T15:22:56.205377Z", + "id": "course-of-action--f67dcfd5-3ee8-4100-9d60-665aa3f98dc1", + "created": "2024-05-15T03:39:51.142006Z", + "modified": "2024-05-15T03:39:51.142006Z", "name": "Secure CI/CD environment", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.", "external_references": [ @@ -4399,13 +4371,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--516c362d-01e1-44df-9b7c-29f243f27a89", + "id": "relationship--fbe192dc-787b-45ae-90e8-cf184b867d6a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.205477Z", - "modified": "2024-05-08T15:22:56.205477Z", + "created": "2022-10-19T20:25:37.000Z", + "modified": "2022-10-28T11:26:39.000Z", "description": "Security code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content", "relationship_type": "mitigates", - "source_ref": "course-of-action--2e0b0daa-c0e9-42c7-807e-6f3fd0872882", + "source_ref": "course-of-action--f67dcfd5-3ee8-4100-9d60-665aa3f98dc1", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4417,33 +4389,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--3b86fb19-87fc-4765-8ae0-1230ce738c2a", - "created": "2024-05-08T15:22:56.207152Z", - "modified": "2024-05-08T15:22:56.207152Z", - "name": "Avoid running management interface on containers", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality.", + "id": "course-of-action--91b29f5f-3691-4f7f-a23a-b104a93fa10a", + "created": "2024-05-15T03:39:51.164002Z", + "modified": "2024-05-15T03:39:51.164002Z", + "name": "Avoid using web-hosted manifest for Kubelet", + "description": "", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9015%20Avoid%20running%20management%20interface%20on%20containers/", - "external_id": "MS-M9015" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9032%20Avoid%20using%20web-hosted%20manifest%20for%20Kubelet/", + "external_id": "MS-M9032" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--021a4287-68df-4d15-a53d-aca210ac5fba", + "id": "relationship--4790d8c7-e38d-4515-b52a-e3c67181d9f2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.207254Z", - "modified": "2024-05-08T15:22:56.207254Z", - "description": "Avoid running SSH daemon, as well as other management interfaces, if they aren\u2019t necessary for the application\u2019s functionality", + "created": "2022-10-25T14:08:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "", "relationship_type": "mitigates", - "source_ref": "course-of-action--3b86fb19-87fc-4765-8ae0-1230ce738c2a", - "target_ref": "attack-pattern--e38e1771-dbc4-45dc-aeef-56b7b236267e", + "source_ref": "course-of-action--91b29f5f-3691-4f7f-a23a-b104a93fa10a", + "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4454,33 +4423,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "created": "2024-05-08T15:22:56.209345Z", - "modified": "2024-05-08T15:22:56.209345Z", - "name": "Remove tools from container images", - "description": "Attackers often use built-in executables to run their malicious code. Removing unused executables from the image filesystem can prevent such activity. Examples of executables that are commonly used in malicious activity include: sh, bash, curl, wget, chmod and more.", + "id": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "created": "2024-05-15T03:39:51.196889Z", + "modified": "2024-05-15T03:39:51.196889Z", + "name": "Require strong authentication to services", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.\n\nUse strong authentication methods to the Kubernetes API that will prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use AAD authentication instead of basic authentication. By using AAD authentication, a short-lived credential of the cluster is retrieved after authenticating to AAD.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9012%20Remove%20tools%20from%20container%20images/", - "external_id": "MS-M9012" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9009%20Require%20strong%20authentication%20to%20services/", + "external_id": "MS-M9009" } - ], - "x_mitre_ids": [ - "M1042" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9cfdb87c-af40-45a3-ab41-108b2171cc7a", + "id": "relationship--57ca0b03-fe25-4502-bd10-9457f9018d6f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.209448Z", - "modified": "2024-05-08T15:22:56.209448Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-20T10:28:30.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "target_ref": "attack-pattern--7cf4655f-5199-4277-9fcf-2f1ac6886b38", + "source_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "target_ref": "attack-pattern--45fc989a-2e0d-4962-a7db-9cfdfba24574", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4491,14 +4457,32 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4c8ed604-f737-4520-a091-dbeb148d9fc2", + "id": "relationship--94ccb16c-7a52-4145-a3b4-f7561e17494b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.209526Z", - "modified": "2024-05-08T15:22:56.209526Z", - "description": "Attackers often use built-in executables to run their malicious code", + "created": "2022-10-24T10:05:51.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", "relationship_type": "mitigates", - "source_ref": "course-of-action--edc65489-8e21-4ed2-9b02-3bfb455ecde1", - "target_ref": "attack-pattern--9ee3bd08-a57a-4ddd-bc33-6a2082a8ffb8", + "source_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "target_ref": "attack-pattern--4b2381d1-0046-4662-92aa-7d8e9f6f13be", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "tmfk" + ], + "x_mitre_version": "0.1", + "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d3f0e11e-0329-4cab-aa8c-b4f7b09f472e", + "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use strong authentication when exposing sensitive interfaces to the Internet", + "relationship_type": "mitigates", + "source_ref": "course-of-action--319be813-fae2-44c6-a98f-d19423cd0ab5", + "target_ref": "attack-pattern--bf6b361a-d4f2-4ba5-af66-21a77a7a0a11", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4509,33 +4493,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "created": "2024-05-08T15:22:56.212461Z", - "modified": "2024-05-08T15:22:56.212461Z", - "name": "Restrict file and directory permissions", - "description": "", + "id": "course-of-action--0fbf6f7c-0e57-4deb-95c1-b7b35d6e0ef7", + "created": "2024-05-15T03:39:51.2552Z", + "modified": "2024-05-15T03:39:51.2552Z", + "name": "Remove unused secrets from the cluster", + "description": "Remove unused secrets objects from the cluster.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9016%20Restrict%20file%20and%20directory%20permissions/", - "external_id": "MS-M9016" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9023%20Remove%20unused%20secrets%20from%20the%20cluster/", + "external_id": "MS-M9023" } - ], - "x_mitre_ids": [ - "M1022" ] }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bb9a35da-8778-4d5f-a5fe-9d71c531ed7e", + "id": "relationship--11a97dca-c8a3-437d-a1e0-e855232bd9c3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.212566Z", - "modified": "2024-05-08T15:22:56.212566Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Remove unused secrets objects from the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "target_ref": "attack-pattern--8d94abd4-4ef6-4026-866b-57bc1da7f0b9", + "source_ref": "course-of-action--0fbf6f7c-0e57-4deb-95c1-b7b35d6e0ef7", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4543,17 +4524,36 @@ "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, + { + "type": "course-of-action", + "spec_version": "2.1", + "id": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "created": "2024-05-15T03:39:51.280318Z", + "modified": "2024-05-15T03:39:51.280318Z", + "name": "Use managed secret store", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster. This allows cloud-level management of the secret which includes permission management, expiration management, secret rotation, auditing, etc. The integration of cloud secret stores with Kubernetes is done by using Secrets Store CSI Driver, which is implemented by all major cloud providers.", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9022%20Use%20managed%20secret%20store/", + "external_id": "MS-M9022" + } + ], + "x_mitre_ids": [ + "M1029" + ] + }, { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1858f521-084f-4965-a366-d7188de510e8", + "id": "relationship--566a170f-76c6-4a7e-8c22-d02c39def619", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.212643Z", - "modified": "2024-05-08T15:22:56.212643Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "target_ref": "attack-pattern--611158b3-4ba0-4309-a55b-9420d88c7a67", + "source_ref": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "target_ref": "attack-pattern--d02e70ba-de3b-4a0b-940d-4c06202a7bc5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4564,14 +4564,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--cce2028a-859d-4e6f-bfc1-4cc776ee1580", + "id": "relationship--3edc3696-1ecc-4493-b160-0eb35dbb153d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.212722Z", - "modified": "2024-05-08T15:22:56.212722Z", - "description": "", + "created": "2022-10-25T08:08:39.000Z", + "modified": "2022-10-28T11:26:39.000Z", + "description": "Use cloud secret store, such as Azure Key Vault, to securely store secrets that are used by the workloads in the cluster", "relationship_type": "mitigates", - "source_ref": "course-of-action--3f52a1a4-fdc8-44d8-9b3b-093f8cb7fd5c", - "target_ref": "attack-pattern--3b2712a9-2121-4148-a337-74d3596fb0cc", + "source_ref": "course-of-action--11489e40-e90e-4154-abc6-dba7cd93b491", + "target_ref": "attack-pattern--439f1b74-63c5-460c-ab70-1f9463314643", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4582,30 +4582,29 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", - "created": "2024-05-08T15:22:56.215558Z", - "modified": "2024-05-08T15:22:56.215558Z", - "name": "Gate images pushed to registries", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", + "id": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", + "created": "2024-05-15T03:39:51.325172Z", + "modified": "2024-05-15T03:39:51.325172Z", + "name": "Image assurance policy", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", - "external_id": "MS-M9005.002" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", + "external_id": "MS-M9005" } ], "x_mitre_ids": [ "M1016", "M1045" - ], - "x_mitre_parent_mitigation": "MS-M9005" + ] }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "created": "2024-05-08T15:22:56.218185Z", - "modified": "2024-05-08T15:22:56.218185Z", + "id": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "created": "2024-05-15T03:39:51.333113Z", + "modified": "2024-05-15T03:39:51.333113Z", "name": "Gate generated images in CI/CD pipeline", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements.", "external_references": [ @@ -4624,29 +4623,30 @@ { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "created": "2024-05-08T15:22:56.221362Z", - "modified": "2024-05-08T15:22:56.221362Z", - "name": "Image assurance policy", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.\n\nOne approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.", + "id": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "created": "2024-05-15T03:39:51.337162Z", + "modified": "2024-05-15T03:39:51.337162Z", + "name": "Gate images pushed to registries", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.", "external_references": [ { "source_name": "mitre-attack", - "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005%20Image%20assurance%20policy/", - "external_id": "MS-M9005" + "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/mitigations/MS-M9005/MS-M9005.002%20Gate%20images%20pushed%20to%20registries/", + "external_id": "MS-M9005.002" } ], "x_mitre_ids": [ "M1016", "M1045" - ] + ], + "x_mitre_parent_mitigation": "MS-M9005" }, { "type": "course-of-action", "spec_version": "2.1", - "id": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", - "created": "2024-05-08T15:22:56.225976Z", - "modified": "2024-05-08T15:22:56.225976Z", + "id": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", + "created": "2024-05-15T03:39:51.343565Z", + "modified": "2024-05-15T03:39:51.343565Z", "name": "Gate images deployed to Kubernetes cluster", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements. This can include limiting images to be deployed only from trusted registries, to have digital signature or pass vulnerability scanning and other checks. This can prevent potential adversaries from using their own malicious images in the cluster. Also, this ensures that only images that passed the security compliance policies of the organization are deployed in the cluster. Kubernetes admission controller mechanism is one of the commonly used tools for implementing such policy.", "external_references": [ @@ -4665,13 +4665,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--782c7775-83f3-4459-8fb9-28da08fdee61", + "id": "relationship--d5807d7e-f2c8-4327-990a-e4af75a0bc0d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226156Z", - "modified": "2024-05-08T15:22:56.226156Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:51.351219Z", + "modified": "2024-05-15T06:39:51.351246Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4683,13 +4683,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--1ce40510-0136-4ae0-a9f8-8f3ec51f8864", + "id": "relationship--437f7861-883a-4867-91db-baf03277714c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226244Z", - "modified": "2024-05-08T15:22:56.226244Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:51.359322Z", + "modified": "2024-05-15T06:39:51.359354Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4701,13 +4701,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--81ec6e6f-fa3f-4040-a724-833699364643", + "id": "relationship--1791ff5f-a7fe-4a8c-867f-7e4d4457ce04", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226315Z", - "modified": "2024-05-08T15:22:56.226315Z", - "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", + "created": "2024-05-15T06:39:51.37399Z", + "modified": "2024-05-15T06:39:51.37402Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--d5dc6d39-2ebd-4e7a-a5cf-d168af52b958", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4719,14 +4719,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2c6feeef-2531-451c-9e47-a13a805a4de0", + "id": "relationship--fe50d167-7eac-4b71-9df8-8d7d11926ddf", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226383Z", - "modified": "2024-05-08T15:22:56.226383Z", - "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", + "created": "2024-05-15T06:39:51.386704Z", + "modified": "2024-05-15T06:39:51.386741Z", + "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", "relationship_type": "mitigates", - "source_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--8b376e3a-27a5-440d-9f6a-6cd9bffbbc7f", + "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4737,14 +4737,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--bbdc57a5-e9ed-46a2-b3d4-3ee56d8af96f", + "id": "relationship--dfbf2ef0-8462-45f4-a8c6-f11f23d63772", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226449Z", - "modified": "2024-05-08T15:22:56.226449Z", + "created": "2024-05-15T06:39:51.400917Z", + "modified": "2024-05-15T06:39:51.400957Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4755,14 +4755,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5965c723-db2a-4155-b030-b81df136f30d", + "id": "relationship--82395a4c-bfed-47bd-807b-3cb03a841444", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226518Z", - "modified": "2024-05-08T15:22:56.226518Z", + "created": "2024-05-15T06:39:51.414615Z", + "modified": "2024-05-15T06:39:51.414656Z", "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--3463d40a-efed-490f-9059-928c4c3237c6", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4773,14 +4773,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ef484610-1321-492b-af5b-53474922901a", + "id": "relationship--c55c3f5c-434f-499b-8d81-cee4a6ac7e1f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.22659Z", - "modified": "2024-05-08T15:22:56.22659Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.429706Z", + "modified": "2024-05-15T06:39:51.429746Z", + "description": "Placing gates in the CI\\CD pipeline that can cancel or fail pipeline execution to block container images not meeting content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", + "source_ref": "course-of-action--b8aa7ff9-2c6d-4522-b507-5dabaa2e9fc6", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4791,14 +4791,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--d901a4f8-0606-4f4a-9492-73a13c34322c", + "id": "relationship--064d14e1-cd81-4478-9b06-440eda1fc860", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226665Z", - "modified": "2024-05-08T15:22:56.226665Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.444788Z", + "modified": "2024-05-15T06:39:51.444833Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", + "source_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4809,14 +4809,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3efd61e1-bd89-4247-8e79-6ce2cbfd02a4", + "id": "relationship--b875a9d5-550b-47e5-89fa-e76b3d86b7dd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226731Z", - "modified": "2024-05-08T15:22:56.226731Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.460242Z", + "modified": "2024-05-15T06:39:51.4605Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", + "source_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4827,14 +4827,14 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--5bce60d2-b755-4e27-8de0-e0038326bfec", + "id": "relationship--58581176-17db-460f-96e3-4cb863d9af1d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226798Z", - "modified": "2024-05-08T15:22:56.226798Z", - "description": "Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies", + "created": "2024-05-15T06:39:51.476617Z", + "modified": "2024-05-15T06:39:51.476676Z", + "description": "Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement", "relationship_type": "mitigates", - "source_ref": "course-of-action--679283b1-18dc-4249-b1b0-8a0fbcc86819", - "target_ref": "attack-pattern--edc890da-4123-49d0-86a0-0a43d5c5feb6", + "source_ref": "course-of-action--77b8fc81-2d20-4fa6-9b41-9ac5509a87b3", + "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "tmfk" @@ -4845,13 +4845,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--3ddb2c6b-331e-487a-9855-96dd151f9867", + "id": "relationship--f2921043-7046-4c06-bc44-b90a5c37c4af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226867Z", - "modified": "2024-05-08T15:22:56.226867Z", + "created": "2024-05-15T06:39:51.493907Z", + "modified": "2024-05-15T06:39:51.493963Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--dd0446c0-b85a-4ecb-8ab8-99c361371742", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4863,13 +4863,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--ad664846-1b62-4e02-8ce0-623262539cf3", + "id": "relationship--639ad88a-b3b9-423f-9987-877c08f0e1b2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.226933Z", - "modified": "2024-05-08T15:22:56.226933Z", + "created": "2024-05-15T06:39:51.518899Z", + "modified": "2024-05-15T06:39:51.518948Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--bd38bd98-df53-440a-aa5d-47e6c6f47fec", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4881,13 +4881,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--818f2493-52f8-4de3-8a76-26bd4052f960", + "id": "relationship--7952a030-cadf-41a2-96f2-11081f6b8f56", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227002Z", - "modified": "2024-05-08T15:22:56.227002Z", + "created": "2024-05-15T06:39:51.534173Z", + "modified": "2024-05-15T06:39:51.534211Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--270260f1-c662-435a-9248-fb63519dc00d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4899,13 +4899,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9dfe3caa-7bcd-469c-8d8d-ff81bf8eb61e", + "id": "relationship--d634d899-4763-406f-832c-093eab2072d0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227071Z", - "modified": "2024-05-08T15:22:56.227071Z", + "created": "2024-05-15T06:39:51.548264Z", + "modified": "2024-05-15T06:39:51.548301Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--aa9a94a6-1e06-48b7-9b39-994b20299364", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4917,13 +4917,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--069fcf2f-4170-4e63-9360-1bf93c20315b", + "id": "relationship--9ba23a5c-ccdb-4a05-ab6e-66123659c312", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227135Z", - "modified": "2024-05-08T15:22:56.227135Z", + "created": "2024-05-15T06:39:51.562848Z", + "modified": "2024-05-15T06:39:51.562901Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--8d025efc-881c-4330-9356-c4b6d6332e3f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4935,13 +4935,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--2353bac2-6ec5-4a61-acad-b9e42591c080", + "id": "relationship--4e263973-3d3e-45bb-a496-f5f033294bc4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.2272Z", - "modified": "2024-05-08T15:22:56.2272Z", + "created": "2024-05-15T06:39:51.577846Z", + "modified": "2024-05-15T06:39:51.5779Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--cedbb8ab-4a7f-4dec-bd82-8171d0d167dc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4953,13 +4953,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--b4208483-e02b-4e4b-b303-264f034c2084", + "id": "relationship--8b211336-1561-4b85-be2a-308d20b1f3b5", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227264Z", - "modified": "2024-05-08T15:22:56.227264Z", + "created": "2024-05-15T06:39:51.595129Z", + "modified": "2024-05-15T06:39:51.595167Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--73a2f53e-ed6e-4b9b-a66d-84cab775522d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4971,13 +4971,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--4cf8585c-b005-4c2e-8dcd-7d4a3c0af182", + "id": "relationship--9d0123fe-7884-4240-b246-d073b91dd1c6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227329Z", - "modified": "2024-05-08T15:22:56.227329Z", + "created": "2024-05-15T06:39:51.60965Z", + "modified": "2024-05-15T06:39:51.60971Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--a8e5e325-4a6c-46ea-a878-fb92b60d2c48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -4989,13 +4989,13 @@ { "type": "relationship", "spec_version": "2.1", - "id": "relationship--9f441bcf-b520-42be-bac8-fb0065b002ac", + "id": "relationship--44605b12-a205-4764-bbda-c1ec86bfbf48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", - "created": "2024-05-08T15:22:56.227393Z", - "modified": "2024-05-08T15:22:56.227393Z", + "created": "2024-05-15T06:39:51.6255Z", + "modified": "2024-05-15T06:39:51.62555Z", "description": "Gate deployment of images to Kubernetes cluster to prevent deploying images that does not meet the content trust requirements", "relationship_type": "mitigates", - "source_ref": "course-of-action--01a28b4b-5034-46ce-ac17-b6df2338bda0", + "source_ref": "course-of-action--b1f9e7eb-8335-4261-ae1d-103d778904fb", "target_ref": "attack-pattern--18665544-2f75-48c1-a95f-28536139f77f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ @@ -5007,10 +5007,10 @@ { "type": "x-mitre-matrix", "spec_version": "2.1", - "id": "x-mitre-matrix--72e4aa48-183b-4dd1-ab2e-f0bf87259ed8", + "id": "x-mitre-matrix--8891ab92-0b5d-4c1a-8c71-3cabe88ed697", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-09-29T08:52:58.000Z", - "modified": "2024-05-08T18:22:56.242Z", + "modified": "2024-05-15T06:39:51.640Z", "name": "Threat Matrix for Kubernetes", "external_references": [ { @@ -5054,4 +5054,4 @@ "x_mitre_version": "0.1" } ] -} \ No newline at end of file +} diff --git a/index.json b/index.json index e5ed1d7..c7f96a2 100644 --- a/index.json +++ b/index.json @@ -32,4 +32,4 @@ "description": "STIX 2.1 Threat Matrix for Kubernetes collection bundle with it's own source name, killchain name and domain" } ] -} \ No newline at end of file +} diff --git a/make.bat b/make.bat index e0c8793..3eacb0b 100644 --- a/make.bat +++ b/make.bat @@ -4,4 +4,4 @@ popd CALL pipenv install mkdir build -CALL pipenv run python ./src/parse.py \ No newline at end of file +CALL pipenv run python ./src/parse.py diff --git a/make.sh b/make.sh index 20a4530..721d8ce 100755 --- a/make.sh +++ b/make.sh @@ -4,4 +4,4 @@ popd pipenv install mkdir -p build -pipenv run python ./src/parse.py \ No newline at end of file +pipenv run python ./src/parse.py diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..d4690ad --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,43 @@ +[tool.ruff] +line-length = 99 +src = ["src"] + +[tool.ruff.lint] +select = ["ALL"] +ignore = [ + "ARG", + "ANN", + "D", + "EM101", + "EM102", + "PT001", + "PT023", + "SIM108", + "SIM114", + "TRY003", + "PLW2901", + "RET505", + "PLR0913", + "FA", + "S101", + "PLR2004", + "TCH001", + "PGH003", + "TD001", + "TD002", + "TD003", + "FIX001", + "FIX002", + "TCH002", + "ERA001", + "N818", + "E501", + "PTH118", + "PERF401", + + # maybe fix :/ + "DTZ005", + "PTH123", + + +] diff --git a/src/custom_tmfk_objects.py b/src/custom_tmfk_objects.py index 6a67a1a..ff44299 100644 --- a/src/custom_tmfk_objects.py +++ b/src/custom_tmfk_objects.py @@ -2,8 +2,8 @@ from collections import OrderedDict from datetime import datetime +from typing import ClassVar -from constants import Mode, get_tmfk_source from stix2 import CustomObject, KillChainPhase from stix2.properties import ( BooleanProperty, @@ -16,6 +16,8 @@ ) from stix2.v21.base import _STIXBase21 +from constants import Mode, get_tmfk_source + class CustomStixObject: """Custom STIX object used for ATRM objects.""" @@ -61,7 +63,7 @@ def get_id(self, mode: Mode): if external_references: for reference in external_references: if reference.get("external_id") and reference.get( - "source_name" + "source_name", ) == get_tmfk_source(mode=mode): return reference["external_id"] return None @@ -132,16 +134,18 @@ class Relationship(CustomStixObject): class ObjectRef(_STIXBase21): - _properties = OrderedDict( + _properties: ClassVar[OrderedDict] = OrderedDict( [ ("object_ref", StringProperty(required=True)), ( "object_modified", TimestampProperty( - precision="millisecond", precision_constraint="min", required=True + precision="millisecond", + precision_constraint="min", + required=True, ), ), - ] + ], ) diff --git a/src/git_tools.py b/src/git_tools.py index 80d419b..ee59af3 100644 --- a/src/git_tools.py +++ b/src/git_tools.py @@ -1,7 +1,7 @@ from contextlib import contextmanager from datetime import datetime -from typing import Iterator, Generator from io import BytesIO +from typing import Generator, Iterator import git diff --git a/src/parse.py b/src/parse.py index 00da466..c67e9c0 100644 --- a/src/parse.py +++ b/src/parse.py @@ -2,6 +2,9 @@ from datetime import datetime from pathlib import Path +from mitreattack.stix20.custom_attack_objects import Matrix +from stix2 import Bundle, parse + from constants import ( ATTACK_SPEC_VERSION, CREATOR_IDENTITY, @@ -19,8 +22,7 @@ get_tmfk_source, ) from custom_tmfk_objects import Collection, ObjectRef, Relationship -from git_tools import get_last_commit_hash, get_first_commit_date -from mitreattack.stix20.custom_attack_objects import Matrix +from git_tools import get_first_commit_date, get_last_commit_hash from parse_mitigation import ( handle_folder, parse_mitigation, @@ -28,7 +30,6 @@ ) from parse_tactic import parse_tactic from parse_technique import parse_technique -from stix2 import Bundle, parse def parse_tmfk(mode: ModeEnumAttribute) -> None: @@ -53,7 +54,7 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: filter( lambda x: x.endswith(".md") and x != "index.md", os.listdir(MITIGATIONS_PATH), - ) + ), ) folders = list(filter(lambda x: "." not in x, os.listdir(MITIGATIONS_PATH))) @@ -70,7 +71,6 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: file_path=file_path, technique=technique, ) - created, modified = relationship_dt["created"], relationship_dt["modified"] objects.append( Relationship( @@ -83,9 +83,9 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: x_mitre_modified_by_ref=CREATOR_IDENTITY, x_mitre_attack_spec_version="2.1.0", x_mitre_domains=[get_tmfk_domain(mode=mode)], - created=created, - modified=modified, - ) + created=relationship_dt.created, + modified=relationship_dt.modified, + ), ) for folder in folders: @@ -102,11 +102,6 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: file_path=file_path, technique=technique, ) - created, modified = ( - relationship_dt["created"], - relationship_dt["modified"], - ) - objects.append( Relationship( source_ref=idx, @@ -118,9 +113,9 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: x_mitre_modified_by_ref=CREATOR_IDENTITY, x_mitre_attack_spec_version="2.1.0", x_mitre_domains=[get_tmfk_domain(mode=mode)], - created=created, - modified=modified, - ) + created=relationship_dt.created, + modified=relationship_dt.modified, + ), ) matrix = Matrix( @@ -133,7 +128,7 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: "external_id": "tmfk", "source_name": get_tmfk_source(mode=mode), "url": "https://microsoft.github.io/Threat-Matrix-for-Kubernetes", - } + }, ], name="Threat Matrix for Kubernetes", description="The purpose of the threat matrix for Kubernetes is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against Kubernetes environments. Inspired from MITRE ATT&CK, the threat matrix for Kubernetes is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign. The threat matrix for Kubernetes contains also mitigations specific to Kubernetes environments and attack techniques.", @@ -160,23 +155,18 @@ def parse_tmfk(mode: ModeEnumAttribute) -> None: x_mitre_version=TMFK_VERSION, created_by_ref=CREATOR_IDENTITY, x_mitre_contents=[ - ObjectRef(object_ref=obj.id, object_modified=obj.modified) - for obj in objects + ObjectRef(object_ref=obj.id, object_modified=obj.modified) for obj in objects ], ) bundle = Bundle(collection, objects, allow_custom=True) commit_hash = get_last_commit_hash(TMFK_PATH) - output_file_last = ( - Path(__file__).parent.parent / "build" / f"tmfk_{mode.name.lower()}.json" - ) + output_file_last = Path(__file__).parent.parent / "build" / f"tmfk_{mode.name.lower()}.json" with open(output_file_last, "w", encoding="utf-8") as f: f.write(bundle.serialize(pretty=True)) output_file_versioned = ( - Path(__file__).parent.parent - / "build" - / f"tmfk_{mode.name.lower()}_{commit_hash}.json" + Path(__file__).parent.parent / "build" / f"tmfk_{mode.name.lower()}_{commit_hash}.json" ) with open(output_file_versioned, "w", encoding="utf-8") as f: f.write(bundle.serialize(pretty=True)) diff --git a/src/parse_mitigation.py b/src/parse_mitigation.py index 46acb38..198dbe1 100644 --- a/src/parse_mitigation.py +++ b/src/parse_mitigation.py @@ -1,17 +1,18 @@ import os import re +from dataclasses import dataclass from datetime import datetime -from typing import Literal import html_to_json +from marko.ext.gfm import gfm +from stix2 import CourseOfAction + from constants import ( MITIGATIONS_PATH, get_tmfk_source, ) from custom_tmfk_objects import Technique from git_tools import iter_file_commits, open_file_at_commit -from marko.ext.gfm import gfm -from stix2 import CourseOfAction def handle_description_markup(description_row: dict) -> str: @@ -32,7 +33,9 @@ def handle_description_markup(description_row: dict) -> str: def craft_mitigation_url( - tmfk_id: str, mitigation_name: str, parent_mitigations: list + tmfk_id: str, + mitigation_name: str, + parent_mitigations: list, ) -> str: mid = "/" if len(parent_mitigations) != 0: @@ -45,7 +48,7 @@ def craft_mitigation_url( def parse_mitigation(file_path: str) -> tuple[CourseOfAction, list]: - with open(file_path, "r", encoding="utf-8") as f: + with open(file_path, encoding="utf-8") as f: content = f.read() html_content = gfm(content) json_content = html_to_json.convert(html_content) @@ -56,13 +59,15 @@ def parse_mitigation(file_path: str) -> tuple[CourseOfAction, list]: mitre_attack_mitigations = [] parent_mitigations = [] - if "_values" in json_content["p"][1]: - if "MITRE mitigation: -" not in json_content["p"][1]["_values"]: - t = [a["_value"] for a in json_content["p"][1]["a"]] - mitre_attack_mitigations = list( - filter(lambda x: x.startswith("M") and not x.startswith("MS"), t) - ) - parent_mitigations = list(filter(lambda x: x.startswith("MS"), t)) + if ( + "_values" in json_content["p"][1] + and "MITRE mitigation: -" not in json_content["p"][1]["_values"] + ): + t = [a["_value"] for a in json_content["p"][1]["a"]] + mitre_attack_mitigations = list( + filter(lambda x: x.startswith("M") and not x.startswith("MS"), t), + ) + parent_mitigations = list(filter(lambda x: x.startswith("MS"), t)) parent_mitigation = None if len(parent_mitigations) != 0: @@ -79,7 +84,7 @@ def parse_mitigation(file_path: str) -> tuple[CourseOfAction, list]: parent_mitigations=parent_mitigations, ), "external_id": tmfk_id, - } + }, ], name=mitigation_name, description="\n\n".join( @@ -87,7 +92,7 @@ def parse_mitigation(file_path: str) -> tuple[CourseOfAction, list]: handle_description_markup(d) for d in json_content["p"][2:] if "_value" in d and "!!!" not in d["_value"] - ] + ], ), x_mitre_ids=mitre_attack_mitigations, x_mitre_parent_mitigation=parent_mitigation, @@ -120,8 +125,8 @@ def parse_relationship_created_modified_fields( repo_path: str, file_path: str, technique: Technique, -) -> dict[Literal["created", "modified"], datetime]: - relationship_dt = {"created": None, "modified": None} +) -> "RelationshipDT": + relationship_dt = RelationshipDT() for commit in iter_file_commits(repo_path, file_path): repo_file_path = file_path.replace(str(repo_path), "") @@ -138,9 +143,15 @@ def parse_relationship_created_modified_fields( has_relation = bool(re.search(technique_param.lower(), mitigation_data.lower())) if has_relation: - relationship_dt["created"] = commit.committed_datetime - relationship_dt["modified"] = ( - relationship_dt["modified"] or relationship_dt["created"] + relationship_dt.created = commit.committed_datetime + relationship_dt.modified = ( + relationship_dt.modified or relationship_dt.created ) return relationship_dt + + +@dataclass +class RelationshipDT: + created: datetime | None = None + modified: datetime | None = None diff --git a/src/parse_tactic.py b/src/parse_tactic.py index 97f0328..b0b8bbe 100644 --- a/src/parse_tactic.py +++ b/src/parse_tactic.py @@ -1,6 +1,9 @@ import re import html_to_json +from marko.ext.gfm import gfm +from mitreattack.stix20.custom_attack_objects import Tactic + from constants import ( ATTACK_SPEC_VERSION, CREATOR_IDENTITY, @@ -12,13 +15,11 @@ get_tmfk_source, ) from git_tools import get_file_creation_date, get_file_modification_date -from marko.ext.gfm import gfm -from mitreattack.stix20.custom_attack_objects import Tactic from utils import create_uuid_from_string def parse_tactic(file_path: str, tactic_name: str, mode: Mode) -> Tactic: - with open(file_path, "r", encoding="utf-8") as f: + with open(file_path, encoding="utf-8") as f: content = f.read() html_content = gfm(content) json_content = html_to_json.convert(html_content) @@ -27,7 +28,7 @@ def parse_tactic(file_path: str, tactic_name: str, mode: Mode) -> Tactic: tactic_description = json_content["p"][1]["_value"] tactic_link = f"https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/{tactic_name}" splitted = re.sub( - "([A-Z][a-z]+)", r" \1", re.sub("([A-Z]+)", r" \1", tactic_name) + "([A-Z][a-z]+)", r" \1", re.sub("([A-Z]+)", r" \1", tactic_name), ).split() tactic_display_name = " ".join(splitted) modified_datetime = get_file_modification_date( @@ -40,7 +41,7 @@ def parse_tactic(file_path: str, tactic_name: str, mode: Mode) -> Tactic: ) mitre_tactic_id = "x-mitre-tactic--" + str( - create_uuid_from_string(val=f"microsoft.tmfk.tactic.{tactic_id}") + create_uuid_from_string(val=f"microsoft.tmfk.tactic.{tactic_id}"), ) return Tactic( id=mitre_tactic_id, diff --git a/src/parse_technique.py b/src/parse_technique.py index 43b42b8..6410e9f 100644 --- a/src/parse_technique.py +++ b/src/parse_technique.py @@ -1,4 +1,6 @@ import html_to_json +from marko.ext.gfm import gfm + from constants import ( CREATOR_IDENTITY, TMFK_PATH, @@ -9,7 +11,6 @@ ) from custom_tmfk_objects import Technique from git_tools import get_file_creation_date, get_file_modification_date -from marko.ext.gfm import gfm from utils import create_uuid_from_string @@ -28,7 +29,7 @@ def handle_description_markup(description_row: dict) -> str: def parse_technique(file_path: str, mode: Mode) -> tuple[Technique, dict]: - with open(file_path, "r", encoding="utf-8") as f: + with open(file_path, encoding="utf-8") as f: content = f.read() html_content = gfm(content) json_content = html_to_json.convert(html_content) @@ -47,8 +48,7 @@ def parse_technique(file_path: str, mode: Mode) -> tuple[Technique, dict]: t = [a["_value"] for a in json_content["p"][1]["a"]] mitre_attack_techniques = list(filter(lambda x: x.startswith("T"), t)) tmfk_tactics = [ - t.replace(" ", "-").lower() - for t in list(filter(lambda x: not x.startswith("T"), t)) + t.replace(" ", "-").lower() for t in list(filter(lambda x: not x.startswith("T"), t)) ] page_name = technique_name.replace(" ", "%20") @@ -61,9 +61,10 @@ def parse_technique(file_path: str, mode: Mode) -> tuple[Technique, dict]: ] mitre_technique_id = "attack-pattern--" + str( - create_uuid_from_string(val=f"microsoft.tmfk.technique.{tmfk_id}") + create_uuid_from_string(val=f"microsoft.tmfk.technique.{tmfk_id}"), ) - technique = Technique( + + return Technique( id=mitre_technique_id, x_mitre_platforms=[TMFK_PLATFORM], x_mitre_domains=[get_tmfk_domain(mode=mode)], @@ -73,7 +74,7 @@ def parse_technique(file_path: str, mode: Mode) -> tuple[Technique, dict]: external_references=external_references, name=technique_name, description="\n\n".join( - [handle_description_markup(d) for d in json_content["p"][2:]] + [handle_description_markup(d) for d in json_content["p"][2:]], ), kill_chain_phases=[ { @@ -88,4 +89,3 @@ def parse_technique(file_path: str, mode: Mode) -> tuple[Technique, dict]: x_mitre_attack_spec_version="2.1.0", x_mitre_ids=mitre_attack_techniques, ) - return technique diff --git a/src/utils.py b/src/utils.py index 3f24a66..399302b 100644 --- a/src/utils.py +++ b/src/utils.py @@ -3,5 +3,5 @@ def create_uuid_from_string(val: str) -> uuid.UUID: - hex_string = hashlib.md5(val.encode("UTF-8")).hexdigest() + hex_string = hashlib.md5(val.encode("UTF-8")).hexdigest() # noqa: S324 return uuid.UUID(hex=hex_string, version=4)