What is MITRE TTPs

MITRE TTP is a well-known comprehensive knowledge base that analyzes all the Tactics, Techniques, and Procedures (TTPs) that advanced threat actors could possibly use in their attacks. Rather than a compliance standard, it is a framework that serves as a foundation for threat models and methodologies.

In any case, by using the MITRE ATT&CK framework model used to infiltrate and attack Kubernetes Clusters, An attacker normally strategizes how to penetrate a cluster and perform damage by following the stages that require an attack lifecycle. The attacker must progress through each of these stages for the attack to be successful.

MITRE ATT&CK framework model

How to Use the MITRE ATT&CK matrix for Kubernetes?

The MITRE Engenuity ATT&CK framework has 10 steps:

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential access
  7. Discovery
  8. Lateral Movement
  9. Collection and Exfiltration
  10. Command and Control

From initial access to command and control, these are the 10 tactics, which individually consist of techniques and sub-techniques.

Protect and Detect Typical TTPs in the MITRE ATT&CK framework with KubeArmor

Organizations currently have a vast amount of unsecured workloads and no efficient or unified way to protect them. Often, they are managing multiple, single-purpose security solutions to secure these workload stacks, which can create operational burdens and security gaps,

” Today's new capabilities further our commitment to deliver comprehensive cloud workload protection across hybrid and multi-cloud environments. DevOps teams can now efficiently build and deploy their workloads and applications rapidly while helping security teams deliver protection.

KubeArmor, is open-source software that enables you to protect your cloud workload at run-time.

  • Let take an example, Exaramel for Linux backdoor Malware which is written in go Language. Which is mapped to different TTPs,

Techniques used for Exaramel for Linux




KubeArmor Policy


Abuse Elevation Control MechanismSetuid and Setgid

Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.

policy-templates/hsp-mitre-host-block-s-bit.yaml at eff498e8cdf5e2d8417ae9f1baa081ce553b82d1 · kubearmor/policy-templates


Command and Scripting InterpreterUnix Shell

Exaramel for Linux has a command to execute a shell command on the system.

policy-templates/ksp-mitre-t1059.yaml at 97749c62a43db11f0670a24d0a5d5c5adeed9726 · kubearmor/policy-templates


Systemd Service

Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.

policy-templates/hsp-mitre-t1543-002.yaml at e2c735085c96568ce8692c375dd43dba902c2560 · kubearmor/policy-templates


Deobfuscate/Decode Files or Information

Exaramel for Linux can decrypt its configuration file.

policy-templates/hsp-mitre-tactic-defense-evasion.yaml at c98900a7164c78356adb73a4a8958d6c265f487f · kubearmor/policy-templates


Scheduled Task/JobCron

Exaramel for Linux uses crontab for persistence if it does not have root privileges.

policy-templates/hsp-mitre-crontab-audit.yaml at 7b37b2427bde66ee7e46d0359cdacb2bd18b36eb · kubearmor/policy-templates


System Owner/User Discovery

Exaramel for Linux can run whoami to identify the system owner.

policy-templates/ksp-mitre-system-owner-user-discovery.yaml at 6e0870773df9df5c132cd96abd0ef7b7086365bf · kubearmor/policy-templates

MITRE ATT&CK Navigator for Exaramel for Linux

MITRE ATT&CK Navigator

Kubernetes Cluster

Installation of KubeArmor

To Install kubeArmor follow the Karmor CLI steps here (KubeArmor installation guide)

Enforcing the KubeArmor policy

Let's enforce the policy for  TTP ID: T1548.001 which is Abuse Elevation Control Mechanism: Setuid and Setgid and Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.

Command to enforce the policy:

You can simply take advantage of our open-source GitHub inventory, and apply policy directly from there:

kubectl apply -f https://raw.githubusercontent.com/kubearmor/policy-templates/04b6669bf68ec9577ce9333352e268ef7f75402a/mitre/system/ksp-mitre-block-s-bit.yaml
Policy template

KubeArmor Policy Template:

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit: 
# https://www.accuknox.com/kubearmor/ 

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
  name: ksp-mitre-t1548-001-setuid-setgid
  namespace: testns # Change your namespace
  message: "Blocked the setuid or setgid flag"
  tags : ["MITRE","T1548.001","Privilege Escalation","S-Bit"]
        container: ubuntu-1  # use your own label here
    - path: /usr/sbin/groupdel
    - path: /usr/sbin/userdel
    - path: /usr/sbin/chgpasswd
    - path: /usr/sbin/groupmod0o
    - path: /usr/sbin/groupadd
    - path: /usr/sbin/newusers
    - path: /usr/sbin/chpasswd
    - path: /usr/sbin/usermod    
    severity: 2 # Higher severity for processes 
    action: Block
Kubearmor policy template

Deploy an Ubuntu workload to test the kubearmor policy

sample deployment file:

apiVersion: v1
kind: Namespace
  name: testns


apiVersion: apps/v1
kind: Deployment
  name: ubuntu-test
  namespace: testns
    deployment: ubuntu-1
  replicas: 1
      container: ubuntu-1
        container: ubuntu-1
      - name: ubuntu-1-container
        image: 0x010/ubuntu-w-utils:latest
Deployment file

Now enter into the Ubuntu  pod to test the policy

kubectl -n testns exec -it <ubuntu pod name> -- bash
Ubuntu pod

When kubearmor is in action, it restricted the s-bit process

Audit log

Audit logs for S-bit

To check how to do it, kindly go through our help section

Audit log created by kubearmor

MITRE ATT&CK framework

like this, we can protect every typical TTP in the MITRE ATT&CK framework.


The MITRE ATT&CK Framework comes up with the required knowledge on how such attacks will happen in the real world. The framework will help to harden the Kubernetes cluster with kubearmor.

To know more, connect with us using the social links given below.

KubeArmor website: https://kubearmor.com/

KubeArmor GitHub: GitHub - kubearmor/KubeArmor: Cloud-native Runtime Security Enforcement System

KubeArmor Slack: Join the KubeArmor community on Slack!

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Read more blogs from Cloud Security Category here.