From 4ecbeae35772601609c50ecf60df39b69cd9626c Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Fri, 3 Jun 2022 15:56:13 +0200 Subject: [PATCH] [docs] cosmetics --- docs/attack-techniques/kubernetes/index.md | 4 ++-- .../kubernetes/k8s.credential-access.dump-secrets.md | 2 +- .../k8s.credential-access.steal-serviceaccount-token.md | 2 +- .../k8s.persistence.create-admin-clusterrole.md | 2 +- .../k8s.privilege-escalation.hostpath-volume.md | 2 +- .../kubernetes/k8s.privilege-escalation.nodes-proxy.md | 8 ++++---- .../kubernetes/k8s.privilege-escalation.privileged-pod.md | 2 +- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/attack-techniques/kubernetes/index.md b/docs/attack-techniques/kubernetes/index.md index 4598d7ef..f80c4406 100755 --- a/docs/attack-techniques/kubernetes/index.md +++ b/docs/attack-techniques/kubernetes/index.md @@ -1,6 +1,6 @@ -# kubernetes +# Kubernetes -This page contains the Stratus attack techniques for kubernetes, grouped by MITRE ATT&CK Tactic. +This page contains the Stratus attack techniques for Kubernetes, grouped by MITRE ATT&CK Tactic. Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic. diff --git a/docs/attack-techniques/kubernetes/k8s.credential-access.dump-secrets.md b/docs/attack-techniques/kubernetes/k8s.credential-access.dump-secrets.md index 1c335301..a48f9ad6 100755 --- a/docs/attack-techniques/kubernetes/k8s.credential-access.dump-secrets.md +++ b/docs/attack-techniques/kubernetes/k8s.credential-access.dump-secrets.md @@ -7,7 +7,7 @@ title: Dump All Secrets idempotent -Platform: kubernetes +Platform: Kubernetes ## MITRE ATT&CK Tactics diff --git a/docs/attack-techniques/kubernetes/k8s.credential-access.steal-serviceaccount-token.md b/docs/attack-techniques/kubernetes/k8s.credential-access.steal-serviceaccount-token.md index 17261033..ec05df84 100755 --- a/docs/attack-techniques/kubernetes/k8s.credential-access.steal-serviceaccount-token.md +++ b/docs/attack-techniques/kubernetes/k8s.credential-access.steal-serviceaccount-token.md @@ -7,7 +7,7 @@ title: Steal Pod Service Account Token idempotent -Platform: kubernetes +Platform: Kubernetes ## MITRE ATT&CK Tactics diff --git a/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md b/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md index e874c7c8..8672d001 100755 --- a/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md +++ b/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md @@ -7,7 +7,7 @@ title: Create Admin ClusterRole -Platform: kubernetes +Platform: Kubernetes ## MITRE ATT&CK Tactics diff --git a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md index 1ec0107b..57cb2bac 100755 --- a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md +++ b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md @@ -7,7 +7,7 @@ title: Container breakout via hostPath volume mount -Platform: kubernetes +Platform: Kubernetes ## MITRE ATT&CK Tactics diff --git a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.nodes-proxy.md b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.nodes-proxy.md index aa602800..c4ea19c8 100755 --- a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.nodes-proxy.md +++ b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.nodes-proxy.md @@ -7,7 +7,7 @@ title: Privilege escalation through node/proxy permissions idempotent -Platform: kubernetes +Platform: Kubernetes ## MITRE ATT&CK Tactics @@ -74,10 +74,10 @@ Sample event (shortened): } ``` -In normal operating conditions, it's not expected that this API is used frequently. -Consequently, alerting on `objectRef.resource == "nodes" && objectRef.subresource == "proxy"` should yield minimal false positives.' +Under normal operating conditions, it's not expected that this API is used frequently. +Consequently, alerting on `objectRef.resource == "nodes" && objectRef.subresource == "proxy"` should yield minimal false positives. -Additionally, looking at the Kubelet API path that was proxied can help identify malicious activity (/runningpods) in this example. +Additionally, looking at the Kubelet API path that was proxied can help identify malicious activity (/runningpods in this example). See [kubeletctl](https://github.com/cyberark/kubeletctl/blob/master/pkg/api/constants.go) for an unofficial list of Kubelet API endpoints. diff --git a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.privileged-pod.md b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.privileged-pod.md index 8a5e75d1..d877a1a0 100755 --- a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.privileged-pod.md +++ b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.privileged-pod.md @@ -7,7 +7,7 @@ title: Run a Privileged Pod -Platform: kubernetes +Platform: Kubernetes ## MITRE ATT&CK Tactics