Dump All Secrets

idempotent

Platform: Kubernetes

MITRE ATT&CK Tactics

• Credential Access

Description

Dumps all Secrets from a Kubernetes cluster. This allow an attacker with the right permissions to trivially access all secrets in the cluster.

Warm-up: None

Detonation:

• Dump secrets using the LIST /api/v1/secrets API
• This returns all secrets in the K8s clusters, no matter their namespace

References:

• https://darkbit.io/blog/the-power-of-kubernetes-rbac-list

Instructions

Detonate with Stratus Red Team

stratus detonate k8s.credential-access.dump-secrets

Detection

Using Kubernetes API server audit logs. In particular, look for list secrets requests that are not performed for a specific namespace (i.e., that apply to all namespaces).

Sample event (shortened):

{
  "apiVersion": "audit.k8s.io/v1",
  "stage": "ResponseComplete",
  "kind": "Event",
  "level": "Metadata",
  "requestURI": "/api/v1/secrets?limit=500",
  "attributes": {
    "objectRef": {
      "resource": "secrets",
      "apiVersion": "v1"
    },
    "http": {
      "url_details": {
        "path": "/api/v1/secrets",
        "queryString": {
          "limit": "500"
        }
      },
      "method": "list"
    }
  }
}

Some built-in Kubernetes components might need to be excluded from such a detection:

• namespace-controller
• kube-state-metrics
• apiserver