CE_MODULE_LOAD |
Container escape: Load kernel module |
Escape to host |
Privilege escalation |
CE_NSENTER |
Container escape: nsenter |
Escape to host |
Privilege escalation |
CE_PRIV_MOUNT |
Container escape: Mount host filesystem |
Escape to host |
Privilege escalation |
CE_SYS_PTRACE |
Container escape: Attach to host process via SYS_PTRACE |
Escape to host |
Privilege escalation |
CE_UMH_CORE_PATTERN |
Container escape: through core_pattern usermode_helper |
Escape to host |
Privilege escalation |
CONTAINER_ATTACH |
Attach to running container |
N/A |
Lateral Movement |
ENDPOINT_EXPLOIT |
Exploit exposed endpoint |
Exploitation of Remote Services |
Lateral Movement |
EXPLOIT_CONTAINERD_SOCK |
Container escape: Through mounted container runtime socket |
N/A |
Lateral Movement |
EXPLOIT_HOST_READ |
Read file from sensitive host mount |
Escape to host |
Privilege escalation |
EXPLOIT_HOST_TRAVERSE |
Steal service account token through kubelet host mount |
Unsecured Credentials |
Credential Access |
EXPLOIT_HOST_WRITE |
Container escape: Write to sensitive host mount |
Escape to host |
Privilege escalation |
IDENTITY_ASSUME |
Act as identity |
Valid Accounts |
Privilege escalation |
IDENTITY_IMPERSONATE |
Impersonate user/group |
Valid Accounts |
Privilege escalation |
PERMISSION_DISCOVER |
Enumerate permissions |
Permission Groups Discovery |
Discovery |
POD_ATTACH |
Attach to running pod |
N/A |
Lateral Movement |
POD_CREATE |
Create privileged pod |
Scheduled Task/Job: Container Orchestration Job |
Privilege escalation |
POD_EXEC |
Exec into running pod |
N/A |
Lateral Movement |
POD_PATCH |
Patch running pod |
N/A |
Lateral Movement |
ROLE_BIND |
Create role binding |
Valid Accounts |
Privilege Escalation |
SHARE_PS_NAMESPACE |
Access container in shared process namespace |
N/A |
Lateral Movement |
TOKEN_BRUTEFORCE |
Brute-force secret name of service account token |
Steal Application Access Token |
Credential Access |
TOKEN_LIST |
Access service account token secrets |
Steal Application Access Token |
Credential Access |
TOKEN_STEAL |
Steal service account token from volume |
Unsecured Credentials |
Credential Access |
CE_VAR_LOG_SYMLINK |
Read file from sensitive host mount |
Escape to host |
Privilege escalation |
VOLUME_ACCESS |
Access host volume |
Container and Resource Discovery |
Discovery |
VOLUME_DISCOVER |
Enumerate mounted volumes |
Container and Resource Discovery |
Discovery |