{"description": "Enterprise techniques used by Peirates, ATT&CK software S0683 (v1.0)", "name": "Peirates (S0683)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1619", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can list AWS S3 buckets.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1609", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can use `kubectl` or the Kubernetes API to run commands.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1613", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can enumerate Kubernetes pods in a given namespace.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1530", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1610", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can deploy a pod that mounts its node\u2019s root file system, then execute a command to create a reverse shell on the node.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1611", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can gain a reverse shell on a host node by mounting the Kubernetes hostPath.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can initiate a port scan against a given IP address.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1528", "comment": "[Peirates](https://attack.mitre.org/software/S0683) gathers Kubernetes service account tokens using a variety of techniques.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.005", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can query the query AWS and GCP metadata APIs for secrets.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.007", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can query the Kubernetes API for secrets.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.001", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[Peirates](https://attack.mitre.org/software/S0683) can use stolen service account tokens to perform its operations.(Citation: Peirates GitHub)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Peirates", "color": "#66b1ff"}]}