Merge pull request #312 from Zenithar/zenithar/feat_graph_embed_mitre…

…_attck feat(graph): embed MITRE Attck technique and tactic into edges
DataDog · Jan 9, 2025 · 4474f1f · 4474f1f
2 parents ce11f9c + 24f655c
commit 4474f1f
Show file tree

Hide file tree

Showing 67 changed files with 780 additions and 208 deletions.
diff --git a/deployments/kubehound/graph/kubehound-db-init.groovy b/deployments/kubehound/graph/kubehound-db-init.groovy
@@ -40,8 +40,8 @@ mgmt.addConnection(hostRead, volume, node);
 hostTraverse = mgmt.makeEdgeLabel('EXPLOIT_HOST_TRAVERSE').multiplicity(MULTI).make();
 mgmt.addConnection(hostTraverse, volume, volume);
 
-sharedPs = mgmt.makeEdgeLabel('SHARE_PS_NAMESPACE').multiplicity(MULTI).make();
-mgmt.addConnection(sharedPs, container, container);
+sharedPsNamespace = mgmt.makeEdgeLabel('SHARE_PS_NAMESPACE').multiplicity(MULTI).make();
+mgmt.addConnection(sharedPsNamespace, container, container);
 
 containerAttach = mgmt.makeEdgeLabel('CONTAINER_ATTACH').multiplicity(ONE2MANY).make();
 mgmt.addConnection(containerAttach, pod, container);
@@ -149,6 +149,9 @@ protocol = mgmt.makePropertyKey('protocol').dataType(String.class).cardinality(C
 role = mgmt.makePropertyKey('role').dataType(String.class).cardinality(Cardinality.SINGLE).make();
 roleBinding = mgmt.makePropertyKey('roleBinding').dataType(String.class).cardinality(Cardinality.SINGLE).make();
 
+// All edge properties
+attckTechniqueID = mgmt.makePropertyKey('attckTechniqueID').dataType(String.class).cardinality(Cardinality.SINGLE).make();
+attckTacticID = mgmt.makePropertyKey('attckTacticID').dataType(String.class).cardinality(Cardinality.SINGLE).make();
 
 // Define properties for each vertex 
 mgmt.addProperties(container, cls, cluster, runID, storeID, app, team, service, isNamespaced, namespace, name, image, privileged, privesc, hostPid, hostIpc, hostNetwork, runAsUser, podName, nodeName, compromised, command, args, capabilities, ports);
@@ -159,6 +162,32 @@ mgmt.addProperties(permissionSet, cls, cluster, runID, storeID, app, team, servi
 mgmt.addProperties(volume, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, type, sourcePath, mountPath, readonly);
 mgmt.addProperties(endpoint, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, serviceEndpoint, serviceDns, addressType, addresses, port, portName, protocol, exposure, compromised);
 
+// Define properties for each edge
+mgmt.addProperties(permissionDiscover, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(volumeDiscover, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(volumeAccess, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(hostWrite, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(hostRead, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(hostTraverse, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(sharedPsNamespace, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(containerAttach, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(idAssume, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(idImpersonate, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(roleBind, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(podAttach, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(podCreate, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(podPatch, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(podExec, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(tokenSteal, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(tokenBruteforce, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(tokenList, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(nsenter, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(moduleLoad, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(umhCorePattern, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(privMount, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(sysPtrace, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(varLogSymLink, runID, attckTechniqueID, attckTacticID);
+mgmt.addProperties(endpointExploit, runID, attckTechniqueID, attckTacticID);
 
 // Create the indexes on vertex properties
 // NOTE: labels cannot be indexed so we create the class property to mirror the vertex label and allow indexing
@@ -190,6 +219,11 @@ mgmt.buildIndex('byImageAndRunIDComposite', Vertex.class).addKey(image).addKey(r
 mgmt.buildIndex('byAppAndRunIDComposite', Vertex.class).addKey(app).addKey(runID).buildCompositeIndex();
 mgmt.buildIndex('byNamespaceAndRunIDComposite', Vertex.class).addKey(namespace).addKey(runID).buildCompositeIndex();
 
+// Create the indexes on edge properties
+mgmt.buildIndex('edgesByAttckTechniqueID', Edge.class).addKey(attckTechniqueID).buildCompositeIndex();
+mgmt.buildIndex('edgesByAttckTacticID', Edge.class).addKey(attckTacticID).buildCompositeIndex();
+mgmt.buildIndex('edgesByRunID', Edge.class).addKey(runID).buildCompositeIndex();
+
 mgmt.commit();
 
 // Wait for indexes to become available
@@ -220,6 +254,10 @@ ManagementSystem.awaitGraphIndexStatus(graph, 'byImageAndRunIDComposite').status
 ManagementSystem.awaitGraphIndexStatus(graph, 'byAppAndRunIDComposite').status(SchemaStatus.ENABLED).call();
 ManagementSystem.awaitGraphIndexStatus(graph, 'byNamespaceAndRunIDComposite').status(SchemaStatus.ENABLED).call();
 
+ManagementSystem.awaitGraphIndexStatus(graph, 'edgesByAttckTechniqueID').status(SchemaStatus.ENABLED).call();
+ManagementSystem.awaitGraphIndexStatus(graph, 'edgesByAttckTacticID').status(SchemaStatus.ENABLED).call();
+ManagementSystem.awaitGraphIndexStatus(graph, 'edgesByRunID').status(SchemaStatus.ENABLED).call();
+
 System.out.println("[KUBEHOUND] graph schema and indexes ready");
 mgmt.close();
 

diff --git a/docs/reference/attacks/CE_MODULE_LOAD.md b/docs/reference/attacks/CE_MODULE_LOAD.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # CE_MODULE_LOAD
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/CE_NSENTER.md b/docs/reference/attacks/CE_NSENTER.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # CE_NSENTER
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/CE_PRIV_MOUNT.md b/docs/reference/attacks/CE_PRIV_MOUNT.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # CE_PRIV_MOUNT
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/CE_SYS_PTRACE.md b/docs/reference/attacks/CE_SYS_PTRACE.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # CE_SYS_PTRACE
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/CE_UMH_CORE_PATTERN.md b/docs/reference/attacks/CE_UMH_CORE_PATTERN.md
@@ -9,7 +9,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 Container escape via the `core_pattern` `usermode_helper` in the case of an exposed `/proc` mount.
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/CE_VAR_LOG_SYMLINK.md b/docs/reference/attacks/CE_VAR_LOG_SYMLINK.md
@@ -5,13 +5,13 @@ title: CE_VAR_LOG_SYMLINK
 <!--
 id: CE_VAR_LOG_SYMLINK
 name: "Arbitrary file reads on the host"
-mitreAttackTechnique: T1552 - Unsecured Credentials
-mitreAttackTactic: TA0006 - Credential Access
+mitreAttackTechnique: T1611 - Escape to host
+mitreAttackTactic: TA0004 - Privilege escalation
 -->
 
 # CE_VAR_LOG_SYMLINK
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/CONTAINER_ATTACH.md b/docs/reference/attacks/CONTAINER_ATTACH.md
@@ -5,15 +5,15 @@ title: CONTAINER_ATTACH
 <!--
 id: CONTAINER_ATTACH
 name: "Attach to running container"
-mitreAttackTechnique: N/A - N/A
-mitreAttackTactic: TA0008 - Lateral Movement
+mitreAttackTechnique: T1609 - Container Administration Command
+mitreAttackTactic: TA0002 - Execution
 -->
 
 # CONTAINER_ATTACH
 
-| Source                    | Destination                           | MITRE                                                                |
+| Source                    | Destination                           | MITRE ATT&CK                                                         |
 | ------------------------- | ------------------------------------- | -------------------------------------------------------------------- |
-| [Pod](../entities/pod.md) | [Container](../entities/container.md) | [Lateral Movement, TA0008](https://attack.mitre.org/tactics/TA0008/) |
+| [Pod](../entities/pod.md) | [Container](../entities/container.md) | [Container Administration Command, T1609](https://attack.mitre.org/techniques/T1609/) |
 
 Attach to a container running within a pod given access to the pod.
 

diff --git a/docs/reference/attacks/ENDPOINT_EXPLOIT.md b/docs/reference/attacks/ENDPOINT_EXPLOIT.md
@@ -12,7 +12,7 @@ mitreAttackTactic: TA0008 - Lateral Movement
 
 Represents a network endpoint exposed by a container that could be exploited by an attacker (via means known or unknown). This can correspond to a Kubernetes service, node service, node port, or container port.
 
-| Source                              | Destination                           | MITRE                                                                                |
+| Source                              | Destination                           | MITRE ATT&CK                                                                         |
 | ----------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------ |
 | [Endpoint](../entities/endpoint.md) | [Container](../entities/container.md) | [Exploitation of Remote Services, T1210](https://attack.mitre.org/techniques/T1210/) |
 

diff --git a/docs/reference/attacks/EXPLOIT_CONTAINERD_SOCK.md b/docs/reference/attacks/EXPLOIT_CONTAINERD_SOCK.md
@@ -5,18 +5,23 @@ title: EXPLOIT_CONTAINERD_SOCK
 <!--
 id: EXPLOIT_CONTAINERD_SOCK
 name: "Container escape: Through mounted container runtime socket"
-mitreAttackTechnique: N/A - N/A
-mitreAttackTactic: TA0008 - Lateral Movement
+mitreAttackTechnique: T1610 - Deploy Container
+mitreAttackTactic: TA0002 - Execution
+coverage: None
 -->
 
 # EXPLOIT_CONTAINERD_SOCK
 
-| Source                                | Destination                           | MITRE                                                                |
+| Source                                | Destination                           | MITRE ATT&CK                                                         |
 | ------------------------------------- | ------------------------------------- | -------------------------------------------------------------------- |
-| [Container](../entities/container.md) | [Container](../entities/container.md) | [Lateral Movement, TA0008](https://attack.mitre.org/tactics/TA0008/) |
+| [Container](../entities/container.md) | [Container](../entities/container.md) | [Deploy Container, T1610](https://attack.mitre.org/techniques/T1610/) |
 
 Container escape via the `containerd.sock` file that allows executing a binary into another container.
 
+!!! warning
+
+    This attack detection is currently __NOT IMPLEMENTED__.
+
 ## Details
 
 When the `containerd.sock` (or other equivalent - see the list below) is mounted inside a container, it allows the container to interact with container runtime. Therefore an attacker can execute any command in any container present in the cluster. This allows an attacker to do some lateral movement across the cluster. 

diff --git a/docs/reference/attacks/EXPLOIT_HOST_READ.md b/docs/reference/attacks/EXPLOIT_HOST_READ.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # EXPLOIT_HOST_READ
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/EXPLOIT_HOST_TRAVERSE.md b/docs/reference/attacks/EXPLOIT_HOST_TRAVERSE.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0006 - Credential Access
 
 # EXPLOIT_HOST_TRAVERSE
 
-| Source                          | Destination                     | MITRE                                                                      |
+| Source                          | Destination                     | MITRE ATT&CK                                                               |
 | ------------------------------- | ------------------------------- | -------------------------------------------------------------------------- |
 | [Volume](../entities/volume.md) | [Volume](../entities/volume.md) | [Unsecured Credentials, T1552](https://attack.mitre.org/techniques/T1552/) |
 

diff --git a/docs/reference/attacks/EXPLOIT_HOST_WRITE.md b/docs/reference/attacks/EXPLOIT_HOST_WRITE.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # EXPLOIT_HOST_WRITE
 
-| Source                                | Destination                 | MITRE                                                               |
+| Source                                | Destination                 | MITRE ATT&CK                                                        |
 | ------------------------------------- | --------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md) | [Node](../entities/node.md) | [Escape to Host, T1611](https://attack.mitre.org/techniques/T1611/) |
 

diff --git a/docs/reference/attacks/IDENTITY_ASSUME.md b/docs/reference/attacks/IDENTITY_ASSUME.md
@@ -11,7 +11,7 @@ mitreAttackTactic: TA0004 - Privilege escalation
 
 # IDENTITY_ASSUME
 
-| Source                                                             | Destination                         | MITRE                                                               |
+| Source                                                             | Destination                         | MITRE ATT&CK                                                        |
 | ------------------------------------------------------------------ | ----------------------------------- | ------------------------------------------------------------------- |
 | [Container](../entities/container.md), [Node](../entities/node.md) | [Identity](../entities/identity.md) | [Valid Accounts, T1078](https://attack.mitre.org/techniques/T1078/) |
 

diff --git a/docs/reference/attacks/IDENTITY_IMPERSONATE.md b/docs/reference/attacks/IDENTITY_IMPERSONATE.md
@@ -3,16 +3,21 @@ id: IDENTITY_IMPERSONATE
 name: "Impersonate user/group"
 mitreAttackTechnique: T1078 - Valid Accounts
 mitreAttackTactic: TA0004 - Privilege escalation
+coverage: None
 -->
 
 # IDENTITY_IMPERSONATE
 
 With a [user impersonation privilege](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) an attacker can impersonate a more privileged account.
 
-| Source                                        | Destination                         | MITRE                                                               |
+| Source                                        | Destination                         | MITRE ATT&CK                                                        |
 | --------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------- |
 | [PermissionSet](../entities/permissionset.md) | [Identity](../entities/identity.md) | [Valid Accounts, T1078](https://attack.mitre.org/techniques/T1078/) |
 
+!!! warning
+
+    This attack detection is currently __NOT IMPLEMENTED__.
+
 ## Details
 
 Obtaining the `impersonate users/groups` permission will allow an attacker to execute K8s API actions on behalf of another user, including those with `cluster-admin` rights, and other highly privileged users.
@@ -37,7 +42,7 @@ kubectl auth can-i impersonate groups
 Execute any action in the K8s API impersonating a privileged group (e.g `system:masters`) or user using the syntax:
 
 ```bash
-$ kubectl <verb> <noun> –as=null –as-group=system:masters -o json | jq
+$ kubectl <verb> <noun> -as=null -as-group=system:masters -o json | jq
 ```
 
 ## Defences

diff --git a/docs/reference/attacks/PERMISSION_DISCOVER.md b/docs/reference/attacks/PERMISSION_DISCOVER.md
@@ -13,7 +13,7 @@ mitreAttackTactic: TA0007 - Discovery
 
 Represents the permissions granted to an identity that can be discovered by an attacker.
 
-| Source                              | Destination                                   | MITRE                                                                            |
+| Source                              | Destination                                   | MITRE ATT&CK                                                                     |
 | ----------------------------------- | --------------------------------------------- | -------------------------------------------------------------------------------- |
 | [Identity](../entities/identity.md) | [PermissionSet](../entities/permissionset.md) | [Permission Groups Discovery, T1069](https://attack.mitre.org/techniques/T1078/) |
 

diff --git a/docs/reference/attacks/POD_ATTACH.md b/docs/reference/attacks/POD_ATTACH.md
@@ -5,15 +5,15 @@ title: POD_ATTACH
 <!--
 id: POD_ATTACH
 name: "Attach to running pod"
-mitreAttackTechnique: N/A
-mitreAttackTactic: TA0008 - Lateral Movement
+mitreAttackTechnique: T1609 - Container Administration Command
+mitreAttackTactic: TA0002 - Execution
 -->
 
 # POD_ATTACH
 
-| Source                      | Destination               | MITRE                                                                |
+| Source                      | Destination               | MITRE ATT&CK                                                         |
 | --------------------------- | ------------------------- | -------------------------------------------------------------------- |
-| [Node](../entities/node.md) | [Pod](../entities/pod.md) | [Lateral Movement, TA0008](https://attack.mitre.org/tactics/TA0008/) |
+| [Node](../entities/node.md) | [Pod](../entities/pod.md) | [Container Administration Command, T1609](https://attack.mitre.org/tactics/T1609/) |
 
 Attach to a running K8s pod from a K8s node.