ENDPOINT_EXPLOIT

Represents a network endpoint exposed by a container that could be exploited by an attacker (via means known or unknown). This can correspond to a Kubernetes service, node service, node port, or container port.

Source	Destination	MITRE ATT&CK
Endpoint	Container	Exploitation of Remote Services, T1210

Details

Exposed endpoints represent the most common entry point for attackers into a cluster.

Prerequisites

A network endpoint exposed by a container.

Checks

Endpoints exposed outside the cluster can be queried via kubectl:

kubectl get endpointslices

Alternatively open ports can be discovered by traditional port scanning techniques or a tool like KubeHunter

Exploitation

This edge simply indicates that an endpoint is exposed by a container. It does not signal that the endpoint is exploitable but serves as a useful starting point for path traversal queries.

Defences

None

Calculation

• EndpointExploitInternal
• EndpointExploitExternal

References:

• Official Kubernetes documentation: EndpointSlices