Attack Reference
All edges in the KubeHound graph represent attacks with a net "improvement" in an attacker's position or a lateral movement opportunity.
Note
For instance, an assume role or (IDENTITY_ASSUME) is considered as an attack.
| ID | Name | MITRE ATT&CK Technique | MITRE ATT&CK Tactic | Coverage |
|---|---|---|---|---|
| CE_MODULE_LOAD | Container escape: Load kernel module | Escape to host | Privilege escalation | Full |
| CE_NSENTER | Container escape: nsenter | Escape to host | Privilege escalation | Full |
| CE_PRIV_MOUNT | Container escape: Mount host filesystem | Escape to host | Privilege escalation | Full |
| CE_SYS_PTRACE | Container escape: Attach to host process via SYS_PTRACE | Escape to host | Privilege escalation | Full |
| CE_UMH_CORE_PATTERN | Container escape: through core_pattern usermode_helper | Escape to host | Privilege escalation | Full |
| CE_VAR_LOG_SYMLINK | Arbitrary file reads on the host | Escape to host | Privilege escalation | Full |
| CONTAINER_ATTACH | Attach to running container | Container Administration Command | Execution | Full |
| ENDPOINT_EXPLOIT | Exploit exposed endpoint | Exploitation of Remote Services | Lateral Movement | Full |
| EXPLOIT_CONTAINERD_SOCK | Container escape: Through mounted container runtime socket | Deploy Container | Execution | None |
| EXPLOIT_HOST_READ | Read file from sensitive host mount | Escape to host | Privilege escalation | Full |
| EXPLOIT_HOST_TRAVERSE | Steal service account token through kubelet host mount | Unsecured Credentials | Credential Access | Full |
| EXPLOIT_HOST_WRITE | Container escape: Write to sensitive host mount | Escape to host | Privilege escalation | Full |
| IDENTITY_ASSUME | Act as identity | Valid Accounts | Privilege escalation | Full |
| IDENTITY_IMPERSONATE | Impersonate user/group | Valid Accounts | Privilege escalation | None |
| PERMISSION_DISCOVER | Enumerate permissions | Permission Groups Discovery | Discovery | Full |
| POD_ATTACH | Attach to running pod | Container Administration Command | Execution | Full |
| POD_CREATE | Create privileged pod | Deploy Container | Execution | Full |
| POD_EXEC | Exec into running pod | Container Administration Command | Execution | Full |
| POD_PATCH | Patch running pod | Container Administration Command | Execution | Full |
| ROLE_BIND | Create role binding | Valid Accounts | Privilege Escalation | Partial |
| SHARE_PS_NAMESPACE | Access container in shared process namespace | Taint Shared Content | Lateral Movement | Full |
| TOKEN_BRUTEFORCE | Brute-force secret name of service account token | Steal Application Access Token | Credential Access | Full |
| TOKEN_LIST | Access service account token secrets | Steal Application Access Token | Credential Access | Full |
| TOKEN_STEAL | Steal service account token from volume | Unsecured Credentials | Credential Access | Full |
| VOLUME_ACCESS | Access host volume | Container and Resource Discovery | Discovery | Full |
| VOLUME_DISCOVER | Enumerate mounted volumes | Container and Resource Discovery | Discovery | Full |