Contents / Books |
| Hacking Kubernetes | | | By Andrew Martin, Michael Hausenblas [ ] [ ] |
| Kubernetes Security and Observability | | | by Brendan Creane, Amit Gupta [ ] |
| Security Observability with eBPF | | | by Jed Salazar and Natalia Reka Ivanko |
| amazon | | | Gray Hat Hacking, 6th Ed. (relevant chapters) By Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost [ ] |
Contents / Books / amazon |
| Ch 29. Hacking on Containers | | | [ ] |
| Ch 30. Hacking on Kubernetes | | | [ ] |
Contents / Books |
| Kubernetes Patterns, 2nd Edition, Part 5: Security Patterns | | | by Bilgin Ibryam and Roland Huss [ ] |
| Container Security Book | | | by Liz Rice [ ] |
Contents / Conferences |
| 2022 | | | eBPF Summit [ ] [ ] [ ] |
| CloudNative SecurityCon | | | |
Contents / Talks and videos / Detection |
| Keynote: Detecting Threats in GitHub with Falco | | | |
| Threat Hunting at Scale: Auditing Thousands of Clusters With Falco | | | |
| Security Kill Chain Stages in a 100k+ Daily Container Environment with Falco | | | |
| Falco to Pluginfinity and Beyond | | | |
| Purple Teaming Like Sky’s the Limit – Adversary Emulation in the Cloud | | | |
| Uncovering a Sophisticated Kubernetes Attack in Real Time Part II. | | | |
| Keeping your cluster safe from attacks with eBPF | | | |
| Threat Modeling Kubernetes: A Lightspeed Introduction | | | |
Contents / Talks and videos / Hardening |
| Securing Kubernetes Applications by Crafting Custom Seccomp Profiles | | | |
| The Hitchhiker's Guide to Pod Security | | | |
| You and Your Security Profiles; Generating Security Policies with the Help of eBPF | | | |
| Using the EBPF Superpowers To Generate Kubernetes Security Policies | | | |
| Komrade: an Open-Source Security Chaos Engineering (SCE) Tool for | | | |
Contents / Talks and videos / Attacks |
| Advanced Persistence Threats: The Future of Kubernetes Attacks | | | |
| Bypassing Falco: How to Compromise a Cluster without Tripping the SOC | | | |
| A Treasure Map of Hacking (and Defending) Kubernetes | | | |
| How Attackers Use Exposed Prometheus Server to Exploit | | | |
| Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Plat | | | |
| Three Surprising K8s Networking “Features” and How to Defend Against Them | | | |
| A Compendium of Container Escapes | | | |
| The Path Less Traveled: Abusing Kubernetes Defaults | | | |
Contents / Talks and videos / Supply Chain |
| Securing Your Container Native Supply Chain with SLSA, Github and Te | | | |
| Keynote: Securing Shopify's Software Supply Chain - Shane Lawrence, Shopify | | | |
Contents / Talks and videos / Networking |
| Kubernetes Networking 101 (1h26m) | | | |
| A Guided Tour of Cilium Service Mesh | | | |
| Cilium: Welcome, Vision and Updates | | | |
| Cloud-Native Building Blocks: An Interactive Envoy Proxy Workshop (1h25m) | | | |
Contents / Blogs and Articles / Detection |
| Detecting a Container Escape with Cilium and eBPF | | | |
| Detecting and Blocking log4shell with Isovalent Cilium Enterprise | | | |
| Threat Hunting with Kubernetes Audit Logs | | | |
| Threat Hunting with Kubernetes Audit Logs - Part 2 | | | |
| Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover | | | |
| Lateral movement risks in the cloud and how to prevent them – Part 3: from compromised cloud resource to Kubernetes cluster takeover | | | |
| Dive into BPF: a list of reading material | | | |
| Deep Dive into Real-World Kubernetes Threats | | | |
| Understanding Docker container escapes | | | |
| Consider All Microservices Vulnerable — And Monitor Their Behavior | | | |
| K8 Audit Logs | | | |
| Kubernetes Hunting & Visibility | | | |
| SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft | | | |
| Detecting Cryptomining Attacks in the wild | | | |
| Threat Alert: Kinsing Malware Attacks Targeting Container Environments | | | |
| TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations | | | |
| TeamTNT Targeting AWS, Alibaba | | | |
| Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes | | | |
| Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments | | | |
| CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes | | | |
Contents / Blogs and Articles / Hardening |
| NSA Kubernetes Hardening Guide | | | |
| Securing Kubernetes Clusters by Eliminating Risky Permissions | | | |
| Container security fundamentals: Exploring containers as processes | | | |
| Container security fundamentals part 2: Isolation & namespaces | | | |
| Kubernetes Security Checklist | | | |
| Under-documented Kubernetes Security Tips | | | |
Contents / Blogs and Articles / Attacks |
| Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention | | | |
| Tetragone: A Lesson in Security Fundamentals | | | |
| How I Hacked Play-with-Docker and Remotely Ran Code on the Host | | | |
| The Route to Root: Container Escape Using Kernel Exploitation | | | |
| (twitter thread)Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature. | | | |
| Bad Pods: Kubernetes Pod Privilege Escalation | | | [ ] |
| Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks | | | |
| GKE Kubelet TLS Bootstrap Privilege Escalation | | | |
Contents / TTPs / Attack Matrices |
| MITRE ATT&CK Containers Matrix | | | |
| Threat matrix for Kubernetes | | | |
| Secure containerized environments with updated threat matrix for Kubernetes | | | |
| OWASP Kubernetes Top 10 | | | |
| OWASP Kubernetes Top 10 (Sysdig) | | | |
| AVOLENS Kubernetes Threat Matrix | | | |
Contents / Tools / Detection |
| falco | 7,291 | 5 days ago | |
| kube-bench | 6,981 | 1 day ago | |
| kubesec | 1,214 | 12 days ago | |
| security-guard | 65 | 11 days ago | |
| sysdig | 7,732 | 12 days ago | |
| tetragon | 3,573 | 3 days ago | |
| tracee | 3,552 | 8 days ago | |
| trivy | 23,086 | 2 days ago | |
Contents / Tools / Hardening |
| seccomp | | | "can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel." |
| AppArmor | | | "AppArmor is a Linux kernel security module that supplements the standard Linux user and group based permissions to confine programs to a limited set of resources. AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense." |
| Kubernetes Network Policy Recipes | 5,676 | 7 months ago | |
| OPA Gatekeeper | 3,625 | 12 days ago | "A customizable cloud native policy controller that helps enforce policies and strengthen governance" |
Contents / Tools / Simulation / Experimentation |
| Stratus Red Team | 1,765 | 18 days ago | Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner |
Contents / Tools / Simulation / Experimentation / Stratus Red Team |
| Kubernetes Attacks | 1,765 | 18 days ago | see |
Contents / Tools / Simulation / Experimentation |
| falcosecurity/event-generator | 89 | 12 days ago | |
| minikube | 29,266 | 3 days ago | minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit |
| controlplaneio/simulator | 928 | about 1 month ago | |
| kubernetes-goat | 4,240 | 19 days ago | |
| Sock Shop: A Microservices Demo Application | | | |
Contents / Tools / Attack |
| kubesploit | 1,114 | 3 months ago | |
| Falco-bypasses | 79 | 8 months ago | |
| go-pillage-registries | 104 | over 4 years ago | |
| ConMachi | 85 | almost 6 years ago | |
| peirates | 1,216 | 26 days ago | |
| botb | 620 | about 1 year ago | |
| kubernetes-info.nse script | | | |
| kube-hunter | 4,729 | 7 months ago | |
| MTKPI | 209 | about 1 month ago | |
Contents / Tools / Platforms |
| m9sweeper | 247 | 3 months ago | "m9sweeper is a free and easy kubernetes security platform. It integrates industry-standard open source utilities into a one-stop-shop kubernetes security tool that can walk most kubernetes adminstrators through securing a kubernetes cluster as well as the apps running on the cluster." |
| anchore | | | "Software Composition Analysis from Code to Cloud: Enables security teams to find every piece of software in cloud native applications. Block and fix security issues in minutes rather than days." |
| Prisma Cloud Compute Edition (formerly Twistlock) | | | "Prisma Cloud secures applications from code to cloud, enabling security and DevOps teams to effectively collaborate to accelerate secure cloud-native application development and deployment." |
| sysdig | | | "Sysdig is a universal system visibility tool with native support for containers" |
| Aqua Security | | | "Unified Cloud Security: Accelerate secure innovation and protect your entire development lifecycle from code to cloud and back." |
Contents / Tools / Misc |
| kube-iptables-tailer | 550 | about 2 months ago | |
| inspektor-gadget | 2,186 | 3 days ago | |
Contents / Detection Rules and Analytics |
| Elastic kubernetes detection rules | 1,911 | 7 days ago | |
| Falco Rules | 93 | 19 days ago | |
| Panther Labs gcp_k8s_rules | 334 | 9 days ago | |
| Sigma cloud/azure/kube*.yml | 8,151 | 13 days ago | |
| Sigma cloud/gcp/kube*.yml | 8,151 | 13 days ago | |
| Splunk Analytic Story: Kubernetes Scanning Activity | | | |
| Splunk Analytic Story: Kubernetes Sensitive Object Access Activity | | | |
| Tracee Signatures | 3,552 | 8 days ago | |
Contents / Detection Rules and Analytics / Projectdiscovery/nuclei-templates |
| technologies/kubernetes | 9,048 | 8 days ago | |
| exposed-panels/kube*.yaml | 9,048 | 8 days ago | |
| misconfiguration/kubernetes | 9,048 | 8 days ago | |
| exposures/configs/kube*.yaml | 9,048 | 8 days ago | |
Contents / People |
| @_fel1x | | | |
| @Antonlovesdnb | | | |
| @bibryam | | | |
| @bradgeesaman | | | |
| @christophetd | | | |
| @g3rzi | | | |
| @htejeda | | | |
| @iancoldwater | | | |
| @jrfastab | | | |
| @LachlanEvenson | | | |
| @lizrice | | | |
| @mhausenblas | | | |
| @mhausenblas | | | |
| @mosesrenegade | | | |
| @nataliaivanko | | | |
| @raesene | | | |
| @ramesh-ramani | | | |
| @randyabernethy | | | |
| @saschagrunert | | | |
| @sethsec | | | |
| @shaul-ben-hai | | | |
| @sshaybbc | | | |
| @Steph3nSims | | | |
| @sublimino | | | |
| @sussurro | | | |
| @sys_call | | | |
| @tgraf__ | | | |
| @tixxdz | | | |
| @tpapagian | | | |
| @willfindlay | | | |
| @yuvalavra | | | |
| @jimmesta | | | |
awesome-kubernetes-threat-detection 
0x4d31/awesome-threat-detection
infosecb/awesome-detection-engineering