Skip to content

Attack Reference

All edges in the KubeHound graph represent attacks with a net "improvement" in an attacker's position or a lateral movement opportunity.

Note

For instance, an assume role or (IDENTITY_ASSUME) is considered as an attack.

ID Name MITRE ATT&CK Technique MITRE ATT&CK Tactic Coverage
CE_MODULE_LOAD Container escape: Load kernel module Escape to host Privilege escalation Full
CE_NSENTER Container escape: nsenter Escape to host Privilege escalation Full
CE_PRIV_MOUNT Container escape: Mount host filesystem Escape to host Privilege escalation Full
CE_SYS_PTRACE Container escape: Attach to host process via SYS_PTRACE Escape to host Privilege escalation Full
CE_UMH_CORE_PATTERN Container escape: through core_pattern usermode_helper Escape to host Privilege escalation None
CE_VAR_LOG_SYMLINK Read file from sensitive host mount Escape to host Privilege escalation Full
CONTAINER_ATTACH Attach to running container N/A Lateral Movement Full
ENDPOINT_EXPLOIT Exploit exposed endpoint Exploitation of Remote Services Lateral Movement Full
EXPLOIT_CONTAINERD_SOCK Container escape: Through mounted container runtime socket N/A Lateral Movement None
EXPLOIT_HOST_READ Read file from sensitive host mount Escape to host Privilege escalation Full
EXPLOIT_HOST_TRAVERSE Steal service account token through kubelet host mount Unsecured Credentials Credential Access Full
EXPLOIT_HOST_WRITE Container escape: Write to sensitive host mount Escape to host Privilege escalation Full
IDENTITY_ASSUME Act as identity Valid Accounts Privilege escalation Full
IDENTITY_IMPERSONATE Impersonate user/group Valid Accounts Privilege escalation Full
PERMISSION_DISCOVER Enumerate permissions Permission Groups Discovery Discovery Full
POD_ATTACH Attach to running pod N/A Lateral Movement Full
POD_CREATE Create privileged pod Scheduled Task/Job: Container Orchestration Job Privilege escalation Full
POD_EXEC Exec into running pod N/A Lateral Movement Full
POD_PATCH Patch running pod N/A Lateral Movement Full
ROLE_BIND Create role binding Valid Accounts Privilege Escalation Partial
SHARE_PS_NAMESPACE Access container in shared process namespace N/A Lateral Movement Full
TOKEN_BRUTEFORCE Brute-force secret name of service account token Steal Application Access Token Credential Access Full
TOKEN_LIST Access service account token secrets Steal Application Access Token Credential Access Full
TOKEN_STEAL Steal service account token from volume Unsecured Credentials Credential Access Full
VOLUME_ACCESS Access host volume Container and Resource Discovery Discovery Full
VOLUME_DISCOVER Enumerate mounted volumes Container and Resource Discovery Discovery Full