# Tactics |[Initial Access](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/InitialAccess/index)|[Execution](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Execution/index)|[Persistence](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Persistence/index)|[Privilege Escalation](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/PrivilegeEscalation/index)|[Defense Evasion](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/DefenseEvasion/index)|[Credential Access](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/CredentialAccess/index)|[Discovery](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Discovery/index)|[Lateral Movement](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/LateralMovement/index)|[Collection](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Collection/index)|[Impact](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/tactics/Impact/index)| |--------------|---------|-----------|--------------------|---------------|-----------------|---------|----------------|----------|------| |[Using cloud credentials](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20Cloud%20Credentials)|[Exec into container](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container)|[Backdoor container](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container)|[Privileged container](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container)|[Clear container logs](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs)|[List K8S secrets](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets)|[Access Kubernetes API server](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20the%20K8S%20API%20server)|[Access cloud resources](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources)|[Images from a private registry](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/images%20from%20a%20private%20registry)|[Data destruction](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction)| |[Compromised image In registry](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20Image%20In%20Registry)|[bash/cmd inside container](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/bash%20or%20cmd%20inside%20container)|[Writable hostPath mount](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount)|[Cluster-admin binding](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding)|[Delete K8S events](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events)|[Mount service principal](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal)|[Access Kubelet API](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API)|[Container service account](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account)|[Collecting data from pod](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Collecting%20Data%20from%20Pod)|[Resource hijacking](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking)| |[Kubeconfig file](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file)|[New container](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20Container)|[Kubernetes CronJob](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubernetes%20CronJob)|[hostPath mount](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount)|[Pod / container name similarity](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily)|[Container service account](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account)|[Network mapping](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping)|[Cluster internal networking](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking)||[Denial of service](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service)| |[Application vulnerability](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20Vulnerability)|[Application exploit (https://microsoft.github.io/Threat-Matrix-for-Kubernetes/RCE)](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20Exploit%20(https://microsoft.github.io/Threat-Matrix-for-Kubernetes/RCE))|[Malicious admission controller](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller)|[Access cloud resources](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources)|[Connect from proxy server](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20Proxy%20server)|[Application credentials in configuration files](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files)|[Exposed sensitive interfaces](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces)|[Application credentials in configuration files](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files)||| |[Exposed sensitive interfaces](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces)|[SSH server running inside container](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container)|[Container service account](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account)|||[Access managed identity credentials](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20managed%20identity%20credentials)|[Instance Metadata API](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API)|[Writable hostPath mount](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount)||| ||[Sidecar injection](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection)|[Static pods](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20Pods)|||[Malicious admission controller](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller)||[CoreDNS poisoning](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning)||| ||||||||[ARP poisoning and IP spoofing](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing)|| # Initial Access The initial access tactic consists of techniques that are used for gaining access to the resource. In containerized environments, those techniques enable first access to the cluster. This access can be achieved directly via the cluster management layer or, alternatively, by gaining access to a malicious or vulnerable resource that is deployed on the cluster. |ID|Name| |--|----| |[MS-TA9001](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Using%20Cloud%20Credentials)|Using cloud credentials| |[MS-TA9002](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Compromised%20Image%20In%20Registry)|Compromised image in registry| |[MS-TA9003](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubeconfig%20file)|Kubeconfig file| |[MS-TA9004](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20Vulnerability)|Application vulnerability| |[MS-TA9005](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces)|Exposed sensitive interfaces| # Execution The execution tactic consists of techniques that are used by attackers to run their code inside a cluster. |ID|Name| |--|----| |[MS-TA9006](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container)|Exec into container| |[MS-TA9007](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/bash%20or%20cmd%20inside%20container)|bash/cmd inside container| |[MS-TA9008](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20Container)|New container| |[MS-TA9009](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20Exploit%20(RCE))|Application exploit (RCE)| |[MS-TA9010](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container)|SSH server running inside container| |[MS-TA9011](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection)|Sidecar injection| # Persistence The persistence tactic consists of techniques that are used by attackers to keep access to the cluster in case their initial foothold is lost. |ID|Name| |--|----| |[MS-TA9012](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Backdoor%20container)|Backdoor container| |[MS-TA9013](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount)|Writable hostPath mount| |[MS-TA9014](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Kubernetes%20CronJob)|Kubernetes CronJob| |[MS-TA9015](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller)|Malicious admission controller| |[MS-TA9016](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account)|Container service account| |[MS-TA9017](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Static%20Pods)|Static pods| # Privilege Escalation The privilege escalation tactic consists of techniques that are used by attackers to get higher privileges in the environment than those they currently have. In containerized environments, this can include getting access to the node from a container, gaining higher privileges in the cluster, and even getting access to the cloud resources. |ID|Name| |--|----| |[MS-TA9018](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container)|Privileged container| |[MS-TA9019](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster-admin%20binding)|Cluster-admin binding| |[MS-TA9013](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount)|hostPath mount| |[MS-TA9020](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources)|Access cloud resources| # Defense Evasion The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity. |ID|Name| |--|----| |[MS-TA9021](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Clear%20container%20logs)|Clear container logs| |[MS-TA9022](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events)|Delete K8S events| |[MS-TA9023](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily)|Pod / container name similarity| |[MS-TA9024](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Connect%20from%20Proxy%20server)|Connect from proxy server| # Credential Access The credential access tactic consists of techniques that are used by attackers to steal credentials. In containerized environments, this includes credentials of the running application, identities, secrets stored in the cluster, or cloud credentials. |ID|Name| |--|----| |[MS-TA9025](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets)|List K8S secrets| |[MS-TA9026](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Mount%20service%20principal)|Mount service principal| |[MS-TA9016](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account)|Container service account| |[MS-TA9027](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files)|Application credentials in configuration files| |[MS-TA9028](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20managed%20identity%20credentials)|Access managed identity credentials| |[MS-TA9015](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Malicious%20admission%20controller)|Malicious admission controller| # Discovery The discovery tactic consists of techniques that are used by attackers to explore the environment to which they gained access. This exploration helps the attackers to perform lateral movement and gain access to additional resources. |ID|Name| |--|----| |[MS-TA9029](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20the%20K8S%20API%20server)|Access Kubernetes API server| |[MS-TA9030](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20Kubelet%20API)|Access Kubelet API| |[MS-TA9031](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Network%20mapping)|Network mapping| |[MS-TA9005](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exposed%20sensitive%20interfaces)|Exposed sensitive interfaces| |[MS-TA9033](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Instance%20Metadata%20API)|Instance Metadata API| # Lateral Movement The lateral movement tactic consists of techniques that are used by attackers to move through the victim’s environment. In containerized environments, this includes gaining access to various resources in the cluster from a given access to one container, gaining access to the underlying node from a container, or gaining access to the cloud environment. |ID|Name| |--|----| |[MS-TA9020](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Access%20cloud%20resources)|Access cloud resources| |[MS-TA9016](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account)|Container service account| |[MS-TA9034](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Cluster%20internal%20networking)|Cluster internal networking| |[MS-TA9027](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Application%20credentials%20in%20configuration%20files)|Application credentials in configuration files| |[MS-TA9013](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount)|Writable hostPath mount| |[MS-TA9035](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/CoreDNS%20poisoning)|CoreDNS poisoning| |[MS-TA9036](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/ARP%20poisoning%20and%20IP%20spoofing)|ARP poisoning and IP spoofing| # Collection Collection in Kubernetes consists of techniques that are used by attackers to collect data from the cluster or through using the cluster. |ID|Name| |--|----| |[MS-TA9037](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/images%20from%20a%20private%20registry)|Images from a private registry| |[MS-TA9041](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Collecting%20Data%20from%20Pod)|Collecting data from pod| # Impact The Impact tactic consists of techniques that are used by attackers to destroy, abuse, or disrupt the normal behavior of the environment. |ID|Name| |--|----| |[MS-TA9038](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction)|Data destruction| |[MS-TA9039](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Resource%20hijacking)|Resource hijacking| |[MS-TA9040](https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Denial%20of%20service)|Denial of service|