KUBESHADOW
Abstract
KubeShadow is an advanced red team and adversary simulation framework purpose-built to exploit, persist, and operate within Kubernetes clusters in stealth. It delivers real-world offensive capabilities designed to emulate high-caliber threat actors operating across AWS EKS, GCP GKE, and Azure AKS. Crafted in Go, it interacts with the Kubernetes control plane, etcd datastore, and kubelet APIs, offering modular attack surface for deep access, stealth-focused exploitation, and evasive privilege escalation. Capabilities include host-networked pod insertion via etcd manipulation to bypass RBAC and admission controllers, stealth recon and cluster fingerprinting, cloud metadata hijacking for lateral movement, and long-term persistence via etcd-level control plane tampering.
Presented at Black Hat Europe 2025 Arsenal, December 8-11, London. Track: Cloud Security.