Skip to content

Application exploit (RCE)

Info

ID: MS-TA9009
Tactic: Execution
MITRE technique: T1190

An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.

Mitigations

ID Mitigation Description
MS-M9005 Image Assurance Policy Block vulnerable images
MS-M9014 Network Segmentation Limit network access to containers
MS-M9011 Restrict Container Runtime using LSM Restrict container runtime capabilities using LSM.