Posts

  • AWS GuardDuty + EKS + DNS = wild goose chase

    On a beautiful day amidst the autumn in early November, we received one concerning GuardDuty alert Backdoor:EC2/C&CActivity.B!DNS which basically means that an EC2 instance queried a domain name that is associated with a known C2 (command and control) server. Here is what we know based on the alert alone: The...
  • Leveraging Kubernetes audit logs for threat detection

    TLDR: Kubernetes audit logs can provide great visibility into the operation and inner workings of your cluster. It is also a good resource with relatively low startup cost to detect threats and anomalies inside your cluster. In this post, I will talk about shipping Kubernetes audit logs from Cloudwatch to...
  • Mastering the terminal

    Here are some tricks that helped me drastically improve my workflow in the terminal. I will still continue to update this post as I go in case I find some new cool tricks that help me ‘ninja’ my way through the terminal. This will probably serve as the backup for...
  • Basic Kubernetes Privilege Escalation

    Let’s say you got a reverse shell from a process running in a Kubernetes environment. This guide details the basic steps you can take to escalate your privileges within Kubernetes. Are you in a Kubernetes environment? If yes, what’s the API server? # by default, Kubernetes automounts default service account...