From 187aafcda7b95e5d19e09b1fdd6ed61a26314830 Mon Sep 17 00:00:00 2001 From: Thibault Normand Date: Tue, 7 Jan 2025 10:20:43 +0100 Subject: [PATCH 1/2] feat(graph): document mitre attck in schema. --- docs/reference/graph/graph.schema.json | 26 ++++++++- docs/reference/graph/graph.yaml | 78 ++++++++++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) diff --git a/docs/reference/graph/graph.schema.json b/docs/reference/graph/graph.schema.json index 78edfe10..e6c93940 100644 --- a/docs/reference/graph/graph.schema.json +++ b/docs/reference/graph/graph.schema.json @@ -102,11 +102,18 @@ }, "description": { "type": "string" + }, + "attck": { + "type": "array", + "items": { + "$ref": "#/definitions/AttckRef" + } } }, "required": [ "description", - "label" + "label", + "attck" ], "title": "Edge" }, @@ -218,6 +225,23 @@ ], "title": "From" }, + "AttckRef": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "title": "AttckRef" + }, "Type": { "type": "string", "enum": [ diff --git a/docs/reference/graph/graph.yaml b/docs/reference/graph/graph.yaml index 73d3c3d8..fa3b341e 100644 --- a/docs/reference/graph/graph.yaml +++ b/docs/reference/graph/graph.yaml @@ -412,76 +412,154 @@ spec: edges: - label: CE_MODULE_LOAD description: A container can load a kernel module on the node. + attck: + - id: T1611 + name: Escape to Host - label: CE_NSENTER description: >- Container escape via the nsenter built-in linux program that allows executing a binary into another namespace. + attck: + - id: T1611 + name: Escape to Host - label: CE_PRIV_MOUNT description: >- Mount the host disk and gain access to the host via arbitrary filesystem write + attck: + - id: T1611 + name: Escape to Host - label: CE_SYS_TRACE description: >- Given the requisite capabilities, abuse the legitimate OS debugging mechanisms to escape the container via attaching to a node process. + attck: + - id: T1611 + name: Escape to Host - label: CE_UMH_CORE_PATTERN description: >- Abuse the User Mode Helper (UMH) mechanism to execute arbitrary code in the host. + attck: + - id: T1611 + name: Escape to Host - label: CE_VAR_LOG_SYMLINK description: Abuse the /var/log symlink to gain access to the host filesystem. + attck: + - id: T1611 + name: Escape to Host - label: EXPLOIT_HOST_READ description: Read sensitive files on the host. + attck: + - id: T1611 + name: Escape to Host - label: EXPLOIT_HOST_WRITE description: Write sensitive files on the host. + attck: + - id: T1611 + name: Escape to Host - label: EXPLOIT_CONTAINERD_SOCK description: Exploit the containerd socket to gain access to the host. + attck: + - id: TA0008 + name: Lateral Movement - label: IDENTITY_ASSUME description: >- Represents the capacity to act as an Identity via ownership of a service account token, user PKI certificate, etc. + attck: + - id: T1078 + name: Valid Accounts - label: CONTAINER_ATTACH description: >- Attach to a running container to execute commands or inspect the container. + attck: + - id: TA0008 + name: Lateral Movement - label: ENDPOINT_EXPLOIT description: >- Represents a network endpoint exposed by a container that could be exploited by an attacker (via means known or unknown). This can correspond to a Kubernetes service, node service, node port, or container port. + attck: + - id: T1210 + name: Exploitation of Remote Services - label: PERMISSION_DISCOVER description: Discover permissions granted to an identity. + attck: + - id: T1069 + name: Permission Groups Discovery - label: EXPLOIT_HOST_TRAVERSE description: >- This attack represents the ability to steal a K8s API token from a container via access to a mounted parent volume of the /var/lib/kubelet/pods directory. + attck: + - id: T1552 + name: Unsecured Credentials - label: TOKEN_STEAL description: >- This attack represents the ability to steal a K8s API token from an accessible volume. + attck: + - id: T1552 + name: Unsecured Credentials - label: ROLE_BIND description: Bind a role to an identity. + attck: + - id: T1078 + name: Valid Accounts - label: IDENTITY_IMPERSONATE description: Impersonate an identity. + attck: + - id: T1078 + name: Valid Accounts - label: POD_ATTACH description: Attach to a running pod to execute commands or inspect the pod. + attck: + - id: TA0008 + name: Lateral Movement - label: POD_CREATE description: Create a pod on a node. + attck: + - id: TA0008 + name: Lateral Movement - label: POD_EXEC description: Execute a command in a pod. + attck: + - id: TA0008 + name: Lateral Movement - label: POD_PATCH description: Patch a pod on a node. + attck: + - id: TA0008 + name: Lateral Movement - label: SHARE_PS_NAMESPACE description: All containers in a pod share the same process namespace. + attck: + - id: TA0008 + name: Lateral Movement - label: TOKEN_BRUTEFORCE description: Bruteforce a token. + attck: + - id: T1528 + name: Steal Application Access Token - label: TOKEN_LIST description: List tokens. + attck: + - id: T1528 + name: Steal Application Access Token - label: VOLUME_ACCESS description: Access a volume mounted in a container. + attck: + - id: T1613 + name: Container and Resource Discovery - label: VOLUME_DISCOVER description: Discover volumes mounted in a container. + attck: + - id: T1613 + name: Container and Resource Discovery # Define the properties for each edge in the graph. edgeProperties: [] From 86793d31a6981691fc9175cd0164a21f6ee96c67 Mon Sep 17 00:00:00 2001 From: Thibault Normand Date: Tue, 7 Jan 2025 10:50:40 +0100 Subject: [PATCH 2/2] feat(graph): use generic references --- docs/reference/graph/graph.schema.json | 23 ++-- docs/reference/graph/graph.yaml | 182 ++++++++++++++----------- 2 files changed, 119 insertions(+), 86 deletions(-) diff --git a/docs/reference/graph/graph.schema.json b/docs/reference/graph/graph.schema.json index e6c93940..5e1262ef 100644 --- a/docs/reference/graph/graph.schema.json +++ b/docs/reference/graph/graph.schema.json @@ -103,17 +103,17 @@ "description": { "type": "string" }, - "attck": { + "references": { "type": "array", "items": { - "$ref": "#/definitions/AttckRef" + "$ref": "#/definitions/StandardRef" } } }, "required": [ "description", "label", - "attck" + "references" ], "title": "Edge" }, @@ -225,22 +225,29 @@ ], "title": "From" }, - "AttckRef": { + "StandardRef": { "type": "object", "additionalProperties": false, "properties": { + "type": { + "type": "string", + "enum": [ + "ATTCK", + "URL" + ] + }, "id": { "type": "string" }, - "name": { + "label": { "type": "string" } }, "required": [ - "id", - "name" + "type", + "id" ], - "title": "AttckRef" + "title": "StandardRef" }, "Type": { "type": "string", diff --git a/docs/reference/graph/graph.yaml b/docs/reference/graph/graph.yaml index fa3b341e..a49cf61a 100644 --- a/docs/reference/graph/graph.yaml +++ b/docs/reference/graph/graph.yaml @@ -412,154 +412,180 @@ spec: edges: - label: CE_MODULE_LOAD description: A container can load a kernel module on the node. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_NSENTER description: >- Container escape via the nsenter built-in linux program that allows executing a binary into another namespace. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_PRIV_MOUNT description: >- Mount the host disk and gain access to the host via arbitrary filesystem write - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_SYS_TRACE description: >- Given the requisite capabilities, abuse the legitimate OS debugging mechanisms to escape the container via attaching to a node process. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_UMH_CORE_PATTERN description: >- Abuse the User Mode Helper (UMH) mechanism to execute arbitrary code in the host. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: CE_VAR_LOG_SYMLINK description: Abuse the /var/log symlink to gain access to the host filesystem. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: EXPLOIT_HOST_READ description: Read sensitive files on the host. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: EXPLOIT_HOST_WRITE description: Write sensitive files on the host. - attck: - - id: T1611 - name: Escape to Host + references: + - type: ATTCK + id: T1611 + label: Escape to Host - label: EXPLOIT_CONTAINERD_SOCK description: Exploit the containerd socket to gain access to the host. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: IDENTITY_ASSUME description: >- Represents the capacity to act as an Identity via ownership of a service account token, user PKI certificate, etc. - attck: - - id: T1078 - name: Valid Accounts + references: + - type: ATTCK + id: T1078 + label: Valid Accounts - label: CONTAINER_ATTACH description: >- Attach to a running container to execute commands or inspect the container. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: ENDPOINT_EXPLOIT description: >- Represents a network endpoint exposed by a container that could be exploited by an attacker (via means known or unknown). This can correspond to a Kubernetes service, node service, node port, or container port. - attck: - - id: T1210 - name: Exploitation of Remote Services + references: + - type: ATTCK + id: T1210 + label: Exploitation of Remote Services - label: PERMISSION_DISCOVER description: Discover permissions granted to an identity. - attck: - - id: T1069 - name: Permission Groups Discovery + references: + - type: ATTCK + id: T1069 + label: Permission Groups Discovery - label: EXPLOIT_HOST_TRAVERSE description: >- This attack represents the ability to steal a K8s API token from a container via access to a mounted parent volume of the /var/lib/kubelet/pods directory. - attck: - - id: T1552 - name: Unsecured Credentials + references: + - type: ATTCK + id: T1552 + label: Unsecured Credentials - label: TOKEN_STEAL description: >- This attack represents the ability to steal a K8s API token from an accessible volume. - attck: - - id: T1552 - name: Unsecured Credentials + references: + - type: ATTCK + id: T1552 + label: Unsecured Credentials - label: ROLE_BIND description: Bind a role to an identity. - attck: - - id: T1078 - name: Valid Accounts + references: + - type: ATTCK + id: T1078 + label: Valid Accounts - label: IDENTITY_IMPERSONATE description: Impersonate an identity. - attck: - - id: T1078 - name: Valid Accounts + references: + - type: ATTCK + id: T1078 + label: Valid Accounts - label: POD_ATTACH description: Attach to a running pod to execute commands or inspect the pod. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: POD_CREATE description: Create a pod on a node. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: POD_EXEC description: Execute a command in a pod. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: POD_PATCH description: Patch a pod on a node. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: SHARE_PS_NAMESPACE description: All containers in a pod share the same process namespace. - attck: - - id: TA0008 - name: Lateral Movement + references: + - type: ATTCK + id: TA0008 + label: Lateral Movement - label: TOKEN_BRUTEFORCE description: Bruteforce a token. - attck: - - id: T1528 - name: Steal Application Access Token + references: + - type: ATTCK + id: T1528 + label: Steal Application Access Token - label: TOKEN_LIST description: List tokens. - attck: - - id: T1528 - name: Steal Application Access Token + references: + - type: ATTCK + id: T1528 + label: Steal Application Access Token - label: VOLUME_ACCESS description: Access a volume mounted in a container. - attck: - - id: T1613 - name: Container and Resource Discovery + references: + - type: ATTCK + id: T1613 + label: Container and Resource Discovery - label: VOLUME_DISCOVER description: Discover volumes mounted in a container. - attck: - - id: T1613 - name: Container and Resource Discovery + references: + - type: ATTCK + id: T1613 + label: Container and Resource Discovery # Define the properties for each edge in the graph. edgeProperties: []