Skip to content

Commit

Permalink
Merge pull request #311 from DataDog/zenithar/chore_add_attck_ref_to_…
Browse files Browse the repository at this point in the history 
…schema

feat(graph): document mitre attck in schema.
  • Loading branch information
@Zenithar
Zenithar authored Jan 7, 2025
2 parents 7e539a6 + 86793d3 commit ce11f9c
Show file tree
Hide file tree
Showing 2 changed files with 136 additions and 1 deletion.
33 changes: 32 additions & 1 deletion docs/reference/graph/graph.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,11 +102,18 @@
},
"description": {
"type": "string"
},
"references": {
"type": "array",
"items": {
"$ref": "#/definitions/StandardRef"
}
}
},
"required": [
"description",
"label"
"label",
"references"
],
"title": "Edge"
},
Expand Down Expand Up @@ -218,6 +225,30 @@
],
"title": "From"
},
"StandardRef": {
"type": "object",
"additionalProperties": false,
"properties": {
"type": {
"type": "string",
"enum": [
"ATTCK",
"URL"
]
},
"id": {
"type": "string"
},
"label": {
"type": "string"
}
},
"required": [
"type",
"id"
],
"title": "StandardRef"
},
"Type": {
"type": "string",
"enum": [
Expand Down
104 changes: 104 additions & 0 deletions docs/reference/graph/graph.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -412,76 +412,180 @@ spec:
edges:
- label: CE_MODULE_LOAD
description: A container can load a kernel module on the node.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: CE_NSENTER
description: >-
Container escape via the nsenter built-in linux program that allows
executing a binary into another namespace.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: CE_PRIV_MOUNT
description: >-
Mount the host disk and gain access to the host via arbitrary filesystem
write
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: CE_SYS_TRACE
description: >-
Given the requisite capabilities, abuse the legitimate OS debugging
mechanisms to escape the container via attaching to a node process.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: CE_UMH_CORE_PATTERN
description: >-
Abuse the User Mode Helper (UMH) mechanism to execute arbitrary code in
the host.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: CE_VAR_LOG_SYMLINK
description: Abuse the /var/log symlink to gain access to the host filesystem.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: EXPLOIT_HOST_READ
description: Read sensitive files on the host.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: EXPLOIT_HOST_WRITE
description: Write sensitive files on the host.
references:
- type: ATTCK
id: T1611
label: Escape to Host
- label: EXPLOIT_CONTAINERD_SOCK
description: Exploit the containerd socket to gain access to the host.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: IDENTITY_ASSUME
description: >-
Represents the capacity to act as an Identity via ownership of a service
account token, user PKI certificate, etc.
references:
- type: ATTCK
id: T1078
label: Valid Accounts
- label: CONTAINER_ATTACH
description: >-
Attach to a running container to execute commands or inspect the
container.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: ENDPOINT_EXPLOIT
description: >-
Represents a network endpoint exposed by a container that could be
exploited by an attacker (via means known or unknown). This can correspond
to a Kubernetes service, node service, node port, or container port.
references:
- type: ATTCK
id: T1210
label: Exploitation of Remote Services
- label: PERMISSION_DISCOVER
description: Discover permissions granted to an identity.
references:
- type: ATTCK
id: T1069
label: Permission Groups Discovery
- label: EXPLOIT_HOST_TRAVERSE
description: >-
This attack represents the ability to steal a K8s API token from a
container via access to a mounted parent volume of the
/var/lib/kubelet/pods directory.
references:
- type: ATTCK
id: T1552
label: Unsecured Credentials
- label: TOKEN_STEAL
description: >-
This attack represents the ability to steal a K8s API token from an
accessible volume.
references:
- type: ATTCK
id: T1552
label: Unsecured Credentials
- label: ROLE_BIND
description: Bind a role to an identity.
references:
- type: ATTCK
id: T1078
label: Valid Accounts
- label: IDENTITY_IMPERSONATE
description: Impersonate an identity.
references:
- type: ATTCK
id: T1078
label: Valid Accounts
- label: POD_ATTACH
description: Attach to a running pod to execute commands or inspect the pod.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: POD_CREATE
description: Create a pod on a node.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: POD_EXEC
description: Execute a command in a pod.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: POD_PATCH
description: Patch a pod on a node.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: SHARE_PS_NAMESPACE
description: All containers in a pod share the same process namespace.
references:
- type: ATTCK
id: TA0008
label: Lateral Movement
- label: TOKEN_BRUTEFORCE
description: Bruteforce a token.
references:
- type: ATTCK
id: T1528
label: Steal Application Access Token
- label: TOKEN_LIST
description: List tokens.
references:
- type: ATTCK
id: T1528
label: Steal Application Access Token
- label: VOLUME_ACCESS
description: Access a volume mounted in a container.
references:
- type: ATTCK
id: T1613
label: Container and Resource Discovery
- label: VOLUME_DISCOVER
description: Discover volumes mounted in a container.
references:
- type: ATTCK
id: T1613
label: Container and Resource Discovery

# Define the properties for each edge in the graph.
edgeProperties: []
Expand Down

0 comments on commit ce11f9c

Please sign in to comment.