What starting position does this attack require?

The first step is Auth to API server with cluster-admin token (T1078) — a initial access primitive. Assumed environment: a self-managed K8s cluster with etcd 2379/2380 reachable from the network and --client-cert-auth=false (or missing).

What is the final impact of this kill-chain?

The final step lands on Find etcd port (N-NMAP-INTERNAL), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Exposed etcd → cluster-wide secret raid

etcd is reachable without mTLS — read every Secret in the cluster including service-account tokens that grant cluster-admin.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Auth to API server with cluster-admin token

T1078 · Valid Accounts

Credential Access

Extract secrets (SA tokens, TLS keys, DB creds)

T1552 · Unsecured Credentials

Credential Access

etcdctl get / --prefix --keys-only

T1552 · Unsecured Credentials

Initial Access

Confirm no client-auth

K-ETCD-OPEN · etcd Exposed Without Auth

Persistence

Backdoor admission webhook

K-ADMISSION-WEBHOOK · Malicious Admission Webhook

Discovery

Find etcd port

N-NMAP-INTERNAL · Internal Nmap Sweep

§ Context

Assumed environment: a self-managed K8s cluster with etcd 2379/2380 reachable from the network and --client-cert-auth=false (or missing).

§ Steps

01
Auth to API server with cluster-admin tokenInitial Access
T1078— Valid Accounts
02
Extract secrets (SA tokens, TLS keys, DB creds)Credential Access
T1552— Unsecured Credentials
03
etcdctl get / --prefix --keys-onlyCredential Access
T1552— Unsecured Credentials
04
Confirm no client-authInitial Access
K-ETCD-OPEN— etcd Exposed Without Auth
05
Backdoor admission webhookPersistence
K-ADMISSION-WEBHOOK— Malicious Admission Webhook
06
Find etcd portDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep

§ References

T1078Valid Accounts
T1552Unsecured Credentials

§ Frequently asked

What is the "Exposed etcd → cluster-wide secret raid" attack path?: etcd is reachable without mTLS — read every Secret in the cluster including service-account tokens that grant cluster-admin. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Auth to API server with cluster-admin token (T1078) — a initial access primitive. Assumed environment: a self-managed K8s cluster with etcd 2379/2380 reachable from the network and --client-cert-auth=false (or missing).
What is the final impact of this kill-chain?: The final step lands on Find etcd port (N-NMAP-INTERNAL), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Exposed etcd → cluster-wide secret raid

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

npm typosquat → developer workstation → corporate VPN

Privileged pod escape → cluster admin

Industroyer2 IEC-104 substation hijack

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

z/OS TN3270 → RACF userID brute → mainframe shell

F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB