ENDPOINT_EXPLOIT

Represents a network endpoint exposed by a container that could be exploited by an attacker (via means known or unknown). This can correspond to a Kubernetes service, node service, node port, or container port.

Source	Destination	MITRE
Endpoint	Container	Exploitation of Remote Services, T1210

Details

Exposed endpoints represent the most common entry point for attackers into a cluster.

Prerequisites

A network endpoint exposed by a container.

Checks

Endpoints exposed outside the cluster can be queried via kubectl:

kubectl get endpointslices

Alternatively open ports can be discovered by traditional port scanning techniques or a tool like KubeHunter

Exploitation

This edge simply indicates that an endpoint is exposed by a container. It does not signal that the endpoint is exploitable but serves as a useful starting point for path traversal queries.

Defences

None

Calculation

• EndpointExploitInternal
• EndpointExploitExternal

References:

• Official Kubernetes documentation: EndpointSlices