Esc

Additional Container Cluster Roles - T1098.006

(ATT&CK® Technique)

Definition

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1098006["Additional Container Cluster Roles"] --> |modifies| UserAccount["User Account"]; class T1098006 OffensiveTechniqueNode;
        class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
        click T1098006 href "/offensive-technique/attack/T1098.006/"; click UserAccount href "/dao/artifact/d3f:UserAccount";AccountLocking["Account Locking"] -->
          | disables | UserAccount["User Account"];

          AccountLocking["Account Locking"] -.->
            | May Evict | T1098006["Additional Container Cluster Roles"] ;
          class AccountLocking DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking"; BiometricAuthentication["Biometric Authentication"] -->
          | authenticates | UserAccount["User Account"];

          BiometricAuthentication["Biometric Authentication"] -.->
            | May Harden | T1098006["Additional Container Cluster Roles"] ;
          class BiometricAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | authenticates | UserAccount["User Account"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | May Harden | T1098006["Additional Container Cluster Roles"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; One-timePassword["One-time Password"] -->
          | authenticates | UserAccount["User Account"];

          One-timePassword["One-time Password"] -.->
            | May Harden | T1098006["Additional Container Cluster Roles"] ;
          class One-timePassword DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click One-timePassword href "/technique/d3f:One-timePassword"; StrongPasswordPolicy["Strong Password Policy"] -->
          | strengthens | UserAccount["User Account"];

          StrongPasswordPolicy["Strong Password Policy"] -.->
            | May Harden | T1098006["Additional Container Cluster Roles"] ;
          class StrongPasswordPolicy DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | UserAccount["User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | May Harden | T1098006["Additional Container Cluster Roles"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions";  RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | UserAccount["User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | May Restore | T1098006["Additional Container Cluster Roles"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UnlockAccount["Unlock Account"] -->
          | restores | UserAccount["User Account"];

          UnlockAccount["Unlock Account"] -.->
            | May Restore | T1098006["Additional Container Cluster Roles"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";

json