Past event
Speaking session

Living off the Land Techniques in Managed Kubernetes Clusters

Pavilion 7 | Level 7.1 | Room D

Managed Kubernetes services offer the luxury of leveraging K8s without the burdens of control plane maintenance. But this convenience comes with compromises – notably, a reduction in control and, more critically, the introduction of CSP-specific cluster middleware that expands attack surface. This includes elements like DaemonSets, DNS services, and integral system processes in worker node images. In this talk, we demonstrate a series of LotL techniques that, in the absence of other methods, utilize middleware functionality to elevate RBAC privileges, move laterally, bypass security controls, evade detections, and cause a headache to security teams that often can't differentiate between legitimate component and malicious behavior. Examples include abusing fluent-bit for PI exfiltration; achieving cluster admin via an obscure system node-problem-detector host service; leveraging webhooks for persistency etc. We establish taxonomy and map them onto the K8s threat matrix.​


  • Ronen Shustin

    Vulnerability Researcher

  • Shay Berkovich

    Threat Resercher