Description
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC) This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.
Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with Additional Cloud Roles.
Platforms
Mitigations (2)
Multi-factor AuthenticationM1032
Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML.
User Account ManagementM1018
Ensure that low-privileged accounts do not have permissions to add permissions to accounts or to update container cluster roles.
References
- Amazon Web Services. (n.d.). IAM roles for service accounts. Retrieved July 14, 2023.
- Google Cloud. (n.d.). Create IAM policies. Retrieved July 14, 2023.
- Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July 14, 2023.
- Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.
- Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
- Microsoft Azure. (2023, April 28). Access and identity options for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.
Frequently Asked Questions
What is T1098.006 (Additional Container Cluster Roles)?
T1098.006 is a MITRE ATT&CK technique named 'Additional Container Cluster Roles'. It belongs to the Persistence, Privilege Escalation tactic(s). An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary wit...
How can T1098.006 be detected?
Detection of T1098.006 (Additional Container Cluster Roles) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1098.006?
There are 2 documented mitigations for T1098.006. Key mitigations include: Multi-factor Authentication, User Account Management.
Which threat groups use T1098.006?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.