diff --git a/docs/reference/graph/graph.schema.json b/docs/reference/graph/graph.schema.json index 78edfe10..5e1262ef 100644 --- a/docs/reference/graph/graph.schema.json +++ b/docs/reference/graph/graph.schema.json @@ -102,11 +102,18 @@ }, "description": { "type": "string" + }, + "references": { + "type": "array", + "items": { + "$ref": "#/definitions/StandardRef" + } } }, "required": [ "description", - "label" + "label", + "references" ], "title": "Edge" }, @@ -218,6 +225,30 @@ ], "title": "From" }, + "StandardRef": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "ATTCK", + "URL" + ] + }, + "id": { + "type": "string" + }, + "label": { + "type": "string" + } + }, + "required": [ + "type", + "id" + ], + "title": "StandardRef" + }, "Type": { "type": "string", "enum": [ diff --git a/docs/reference/graph/graph.yaml b/docs/reference/graph/graph.yaml index 73d3c3d8..a49cf61a 100644 --- a/docs/reference/graph/graph.yaml +++ b/docs/reference/graph/graph.yaml @@ -412,76 +412,180 @@ spec: edges: - label: CE_MODULE_LOAD description: A container can load a kernel module on the node. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_NSENTER description: >- Container escape via the nsenter built-in linux program that allows executing a binary into another namespace. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_PRIV_MOUNT description: >- Mount the host disk and gain access to the host via arbitrary filesystem write + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_SYS_TRACE description: >- Given the requisite capabilities, abuse the legitimate OS debugging mechanisms to escape the container via attaching to a node process. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_UMH_CORE_PATTERN description: >- Abuse the User Mode Helper (UMH) mechanism to execute arbitrary code in the host. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_VAR_LOG_SYMLINK description: Abuse the /var/log symlink to gain access to the host filesystem. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: EXPLOIT_HOST_READ description: Read sensitive files on the host. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: EXPLOIT_HOST_WRITE description: Write sensitive files on the host. + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: EXPLOIT_CONTAINERD_SOCK description: Exploit the containerd socket to gain access to the host. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: IDENTITY_ASSUME description: >- Represents the capacity to act as an Identity via ownership of a service account token, user PKI certificate, etc. + references: + - type: ATTCK + id: T1078 + label: Valid Accounts - label: CONTAINER_ATTACH description: >- Attach to a running container to execute commands or inspect the container. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: ENDPOINT_EXPLOIT description: >- Represents a network endpoint exposed by a container that could be exploited by an attacker (via means known or unknown). This can correspond to a Kubernetes service, node service, node port, or container port. + references: + - type: ATTCK + id: T1210 + label: Exploitation of Remote Services - label: PERMISSION_DISCOVER description: Discover permissions granted to an identity. + references: + - type: ATTCK + id: T1069 + label: Permission Groups Discovery - label: EXPLOIT_HOST_TRAVERSE description: >- This attack represents the ability to steal a K8s API token from a container via access to a mounted parent volume of the /var/lib/kubelet/pods directory. + references: + - type: ATTCK + id: T1552 + label: Unsecured Credentials - label: TOKEN_STEAL description: >- This attack represents the ability to steal a K8s API token from an accessible volume. + references: + - type: ATTCK + id: T1552 + label: Unsecured Credentials - label: ROLE_BIND description: Bind a role to an identity. + references: + - type: ATTCK + id: T1078 + label: Valid Accounts - label: IDENTITY_IMPERSONATE description: Impersonate an identity. + references: + - type: ATTCK + id: T1078 + label: Valid Accounts - label: POD_ATTACH description: Attach to a running pod to execute commands or inspect the pod. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: POD_CREATE description: Create a pod on a node. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: POD_EXEC description: Execute a command in a pod. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: POD_PATCH description: Patch a pod on a node. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: SHARE_PS_NAMESPACE description: All containers in a pod share the same process namespace. + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: TOKEN_BRUTEFORCE description: Bruteforce a token. + references: + - type: ATTCK + id: T1528 + label: Steal Application Access Token - label: TOKEN_LIST description: List tokens. + references: + - type: ATTCK + id: T1528 + label: Steal Application Access Token - label: VOLUME_ACCESS description: Access a volume mounted in a container. + references: + - type: ATTCK + id: T1613 + label: Container and Resource Discovery - label: VOLUME_DISCOVER description: Discover volumes mounted in a container. + references: + - type: ATTCK + id: T1613 + label: Container and Resource Discovery # Define the properties for each edge in the graph. edgeProperties: []