chore(doc): fix missing attck association.

DataDog · Jan 8, 2025 · 24f655c · 24f655c
1 parent ed77d83
commit 24f655c
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 8 deletions.
diff --git a/docs/reference/attacks/POD_ATTACH.md b/docs/reference/attacks/POD_ATTACH.md
@@ -13,7 +13,7 @@ mitreAttackTactic: TA0002 - Execution
 
 | Source                      | Destination               | MITRE ATT&CK                                                         |
 | --------------------------- | ------------------------- | -------------------------------------------------------------------- |
-| [Node](../entities/node.md) | [Pod](../entities/pod.md) | [Lateral Movement, TA0008](https://attack.mitre.org/tactics/TA0008/) |
+| [Node](../entities/node.md) | [Pod](../entities/pod.md) | [Container Administration Command, T1609](https://attack.mitre.org/tactics/T1609/) |
 
 Attach to a running K8s pod from a K8s node.
 

diff --git a/docs/reference/attacks/POD_CREATE.md b/docs/reference/attacks/POD_CREATE.md
@@ -15,7 +15,7 @@ Create a pod with significant privilege (`CAP_SYSADMIN`, `hostPath=/`, etc) and
 
 | Source                                        | Destination                 | MITRE ATT&CK                                                                             |
 | --------------------------------------------- | --------------------------- | ---------------------------------------------------------------------------------------- |
-| [PermissionSet](../entities/permissionset.md) | [Node](../entities/node.md) | [Container Orchestration Job, T1053.007](https://attack.mitre.org/techniques/T1053/007/) |
+| [PermissionSet](../entities/permissionset.md) | [Node](../entities/node.md) | [Deploy Container, T1610](https://attack.mitre.org/techniques/T1610/) |
 
 ## Details
 

diff --git a/pkg/kubehound/graph/edge/attck.go b/pkg/kubehound/graph/edge/attck.go
@@ -32,14 +32,14 @@ var (
 	AttckTechniquePermissionGroupsDiscovery AttckTechniqueID = "T1069"
 	// AttckTechniqueValidAccounts is the ATT&CK technique for valid accounts (T1078).
 	AttckTechniqueValidAccounts AttckTechniqueID = "T1078"
+	// AttckTechniqueTaintedSharedContent is the ATT&CK technique for tainted shared content (T1080).
+	AttckTechniqueTaintedSharedContent AttckTechniqueID = "T1080"
 	// AttckTechniqueExploitationOfRemoteServices is the ATT&CK technique for exploitation of remote services (T1210).
 	AttckTechniqueExploitationOfRemoteServices AttckTechniqueID = "T1210"
 	// AttckTechniqueStealApplicationAccessTokens is the ATT&CK technique for stealing application access tokens (T1528).
 	AttckTechniqueStealApplicationAccessTokens AttckTechniqueID = "T1528"
 	// AttckTechniqueUnsecuredCredentials is the ATT&CK technique for unsecured credentials (T1552).
 	AttckTechniqueUnsecuredCredentials AttckTechniqueID = "T1552"
-	// AttckTechniqueCreateOrModifySystemProcessContainerService is the ATT&CK technique for creating or modifying a system process container service (T1543.005).
-	AttckTechniqueCreateOrModifySystemProcessContainerService AttckTechniqueID = "T1543.005"
 	// AttckTechniqueContainerAdministrationCommand is the ATT&CK technique for container administration command (T1609).
 	AttckTechniqueContainerAdministrationCommand AttckTechniqueID = "T1609"
 	// AttckTechniqueDeployContainer is the ATT&CK technique for deploying a container (T1610).

diff --git a/pkg/kubehound/graph/edge/pod_patch_namespace.go b/pkg/kubehound/graph/edge/pod_patch_namespace.go
@@ -36,11 +36,11 @@ func (e *PodPatchNamespace) Name() string {
 }
 
 func (e *PodPatchNamespace) AttckTechniqueID() AttckTechniqueID {
-	return AttckTechniqueCreateOrModifySystemProcessContainerService
+	return AttckTechniqueContainerAdministrationCommand
 }
 
 func (e *PodPatchNamespace) AttckTacticID() AttckTacticID {
-	return AttckTacticPersistence
+	return AttckTacticExecution
 }
 
 func (e *PodPatchNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error) {

diff --git a/pkg/kubehound/graph/edge/share_ps_namespace.go b/pkg/kubehound/graph/edge/share_ps_namespace.go
@@ -39,11 +39,11 @@ func (e *SharePSNamespace) Name() string {
 }
 
 func (e *SharePSNamespace) AttckTechniqueID() AttckTechniqueID {
-	return AttckTechniqueEscapeToHost
+	return AttckTechniqueTaintedSharedContent
 }
 
 func (e *SharePSNamespace) AttckTacticID() AttckTacticID {
-	return AttckTacticPrivilegeEscalation
+	return AttckTacticLateralMovement
 }
 
 // Processor delegates the processing tasks to the generic containerEscapeProcessor.