Skip to content

CONTAINER_ATTACH

Source Destination MITRE
Pod Container Lateral Movement, TA0008

Attach to a container running within a pod given access to the pod.

Details

In order to attach a container running in a pod, you can create a debugging container with the kubectl debug command. It will spawn an ephemeral container that will attach to the console. To do so you need: + The target pod + The image to spawn as an ephemeral container

In order to access the target process, you need the id of the targeted container. Then by using the --target flag, the ephemeral container will share the linux process namespace with the target By default, the process namespace is not shared between containers in a pod.

Prerequisites

Permissions to debug the pod

Checks

Check if sufficient permissions to attach to pods in the namespace of the target. First find the pod's namespace and id:

 kubectl get pods  --all-namespaces | grep <pod name>

Then check permissions:

kubectl auth can-i get pods/debug -n <namespace>

Exploitation

Create and attach an ephemeral debugging container to the target pod via:

kubectl debug -it <pod name> --image=busybox:1.28 --target=<target container>

To determine the containers running in the pod (required to set a target above), you can use:

kubectl describe pod <pod name>

Defences

Monitoring

  • Monitor K8s audit logs for pod debug events as these should be fairly unusual, but may be triggered by legitimate SRE or developer activities.

Calculation

References: