CI-ARGOCD-TAKEOVERPrivilege Escalation

ArgoCD Misconfigured RBAC

Default admin/admin or over-broad RBAC lets attackers create Applications pointing at attacker manifests — cluster takeover.

§ Where this technique fits

CI-ARGOCD-TAKEOVER is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

ArgoCD weak RBAC → cluster admin via custom Application
ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.
step 3 / 6

§ What commonly comes next

01
Malicious CronJob / DaemonSet
K-CRONJOB-PERSIST · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ArgoCD weak RBAC → cluster admin via custom Application

§ What commonly comes next