What is the final impact of this kill-chain?

The final step lands on Pivot across the cluster (K-CRONJOB-PERSIST), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Docker socket exposed in pod → host root

A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

RCE in the pod

T1190 · Exploit Public-Facing Application

Initial Access

Find /var/run/docker.sock

K-DOCKER-SOCK · Docker Socket Exposed

Discovery

Read kubelet kubeconfig

K-SA-TOKEN · ServiceAccount Token Theft

Privilege Escalation

docker run -v /:/host --privileged alpine

K-PRIV-CONTAINER · Privileged Container Escape

Privilege Escalation

chroot /host → root on node

K-HOSTPATH-MOUNT · hostPath Volume Mount

Persistence

Pivot across the cluster

K-CRONJOB-PERSIST · Malicious CronJob / DaemonSet

§ Context

Assumed environment: target deployment mounts the Docker socket (common in CI runners, build pods, monitoring agents). PodSecurityStandards permissive.

§ Steps

01
RCE in the podInitial Access
T1190— Exploit Public-Facing Application
02
Find /var/run/docker.sockInitial Access
K-DOCKER-SOCK— Docker Socket Exposed
03
Read kubelet kubeconfigDiscovery
K-SA-TOKEN— ServiceAccount Token Theft
04
docker run -v /:/host --privileged alpinePrivilege Escalation
K-PRIV-CONTAINER— Privileged Container Escape
05
chroot /host → root on nodePrivilege Escalation
K-HOSTPATH-MOUNT— hostPath Volume Mount
06
Pivot across the clusterPersistence
K-CRONJOB-PERSIST— Malicious CronJob / DaemonSet

§ References

T1190Exploit Public-Facing Application

§ Frequently asked

What is the "Docker socket exposed in pod → host root" attack path?: A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is RCE in the pod (T1190) — a initial access primitive. Assumed environment: target deployment mounts the Docker socket (common in CI runners, build pods, monitoring agents).
What is the final impact of this kill-chain?: The final step lands on Pivot across the cluster (K-CRONJOB-PERSIST), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Docker socket exposed in pod → host root

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

ArgoCD weak RBAC → cluster admin via custom Application

Privileged pod escape → cluster admin

CVE-2024-21626 (Leaky Vessels) → container escape