| CE_MODULE_LOAD |
Container escape: Load kernel module |
Escape to host |
Privilege escalation |
| CE_NSENTER |
Container escape: nsenter |
Escape to host |
Privilege escalation |
| CE_PRIV_MOUNT |
Container escape: Mount host filesystem |
Escape to host |
Privilege escalation |
| CE_SYS_PTRACE |
Container escape: Attach to host process via SYS_PTRACE |
Escape to host |
Privilege escalation |
| CE_UMH_CORE_PATTERN |
Container escape: through core_pattern usermode_helper |
Escape to host |
Privilege escalation |
| CONTAINER_ATTACH |
Attach to running container |
N/A |
Lateral Movement |
| ENDPOINT_EXPLOIT |
Exploit exposed endpoint |
Exploitation of Remote Services |
Lateral Movement |
| EXPLOIT_CONTAINERD_SOCK |
Container escape: Through mounted container runtime socket |
N/A |
Lateral Movement |
| EXPLOIT_HOST_READ |
Read file from sensitive host mount |
Escape to host |
Privilege escalation |
| EXPLOIT_HOST_TRAVERSE |
Steal service account token through kubelet host mount |
Unsecured Credentials |
Credential Access |
| EXPLOIT_HOST_WRITE |
Container escape: Write to sensitive host mount |
Escape to host |
Privilege escalation |
| IDENTITY_ASSUME |
Act as identity |
Valid Accounts |
Privilege escalation |
| IDENTITY_IMPERSONATE |
Impersonate user/group |
Valid Accounts |
Privilege escalation |
| PERMISSION_DISCOVER |
Enumerate permissions |
Permission Groups Discovery |
Discovery |
| POD_ATTACH |
Attach to running pod |
N/A |
Lateral Movement |
| POD_CREATE |
Create privileged pod |
Scheduled Task/Job: Container Orchestration Job |
Privilege escalation |
| POD_EXEC |
Exec into running pod |
N/A |
Lateral Movement |
| POD_PATCH |
Patch running pod |
N/A |
Lateral Movement |
| ROLE_BIND |
Create role binding |
Valid Accounts |
Privilege Escalation |
| SHARE_PS_NAMESPACE |
Access container in shared process namespace |
N/A |
Lateral Movement |
| TOKEN_BRUTEFORCE |
Brute-force secret name of service account token |
Steal Application Access Token |
Credential Access |
| TOKEN_LIST |
Access service account token secrets |
Steal Application Access Token |
Credential Access |
| TOKEN_STEAL |
Steal service account token from volume |
Unsecured Credentials |
Credential Access |
| CE_VAR_LOG_SYMLINK |
Read file from sensitive host mount |
Escape to host |
Privilege escalation |
| VOLUME_ACCESS |
Access host volume |
Container and Resource Discovery |
Discovery |
| VOLUME_DISCOVER |
Enumerate mounted volumes |
Container and Resource Discovery |
Discovery |