Red-Kube : Red Team K8S Adversary Emulation Based On Kubectl

Red-Kube is a collection of kubectl commands written to evaluate the security posture of Kubernetes clusters from the attacker’s perspective.

The commands are either passive for data collection and information disclosure or active for performing real actions that affect the cluster.

The commands are mapped to MITRE ATT&CK Tactics to help get a sense of where we have most of our gaps and prioritize our findings.

The current version is wrapped with a python orchestration module to run several commands in one run based on different scenarios or tactics.

Please use with care as some commands are active and actively deploy new containers or change the role-based access control configuration.

Prerequisites

python3 requirements

pip3 install -r requirements.txt

kubectl (Ubuntu / Debian)

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
echo “deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main” | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubectl

kubectl (Red Hat based)

cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
yum install -y kubectl

jq

sudo apt-get update -y
sudo apt-get install -y jq

Usage

usage: python3 main.py [-h] [–mode active/passive/all] [–tactic TACTIC_NAME] [–show_tactics] [–cleanup]
required arguments:
–mode run kubectl commands which are active / passive / all modes
–tactic choose tactic
other arguments:
-h –help show this help message and exit
–show_tactics show all tactics

Commands by MITRE ATT&CK Tactics

TacticCount
Reconnaissance2
Initial Access0
Execution0
Persistence2
Privilege Escalation4
Defense Evasion1
Credential Access8
Discovery15
Lateral Movement0
Collection1
Command and Control2
Exfiltration1
Impact0
R K

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

7 days ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

7 days ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

7 days ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

7 days ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

1 week ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

1 week ago