Skip to content

kubeshark/k8s-mule

Repository files navigation

K8s Mule

Network threat simulation for Kubernetes. Deploy real attack patterns. Detect them.

K8s Mule deploys workloads that generate real malicious network traffic patterns into your Kubernetes cluster — DNS tunneling, C2 beaconing, credential theft, cryptomining, lateral movement, and more. Every scenario maps to a MITRE ATT&CK technique and produces traffic that any network security tool can detect.

Use it to:

  • Train security teams on what real Kubernetes attacks look like on the wire
  • Validate detection tools — does your SIEM/NDR/CNAPP actually catch these?
  • Benchmark AI agents — challenge AI-powered security tools to find the threats
  • Learn threat hunting — practice with known-answer scenarios at three difficulty levels

Warning: K8s Mule deploys intentionally malicious workloads. Do NOT run alongside production environments. Use a dedicated test cluster.

Quick Start

git clone https://github.com/kubeshark/k8s-mule.git
cd k8s-mule

# Deploy all 22 threat scenarios
./setup-k8s-mule.sh

# Or start with easy mode (5 obvious threats)
./setup-k8s-mule.sh -s easy

# Clean up — removes everything
./teardown-k8s-mule.sh

Prerequisites: kubectl (configured), helm v3+, a running Kubernetes cluster (kind, EKS, GKE, AKS).

What Gets Deployed

22 pods generating real network threat patterns across 7 MITRE ATT&CK tactics:

Command & Control (TA0011)

ID Scenario Difficulty What It Does
NET-001 DGA Beaconing Medium Queries algorithmically generated random domains — classic malware behavior
NET-002 HTTP C2 Beacon Medium Periodic HTTP callbacks to an external C2 server with encoded session IDs
NET-003 Encrypted C2 Hard HTTPS to suspicious domains — encrypted but DNS/SNI reveals intent
NET-004 DNS-over-HTTPS C2 Hard Bypasses cluster DNS via Cloudflare/Google DoH resolvers

Exfiltration (TA0010)

ID Scenario Difficulty What It Does
NET-005 DNS Tunneling Medium High-frequency DNS with base64-encoded subdomains — iodine/dnscat2 style
NET-006 HTTP Header Exfil Hard Data hidden in Cookie and X-Trace-ID headers, disguised as analytics
NET-007 DNS Credential Theft Medium Stolen JWT tokens encoded in DNS TXT queries
NET-008 gRPC Stream Exfil Hard Data exfiltration via gRPC POST — blends with normal microservice traffic

Lateral Movement (TA0008)

ID Scenario Difficulty What It Does
NET-009 K8s API Enumeration Medium Pod with cluster-admin enumerates secrets, RBAC, pods across all namespaces
NET-010 SSRF to Internals Medium Probes kube-dns metrics, Prometheus, Grafana across namespaces
NET-011 Port Scanning Easy TCP SYN sweep across 20 IPs on 9 common service ports
NET-012 Service Fingerprinting Medium HTTP probes to /version, /.env, /actuator/info across services

Credential Access (TA0006)

ID Scenario Difficulty What It Does
NET-013 IMDS Metadata Theft Easy Queries AWS metadata service (169.254.169.254) to steal IAM credentials
NET-014 Cloud API Abuse Medium Direct calls to AWS STS/S3/EC2 APIs with stolen credentials

Resource Hijacking (TA0040)

ID Scenario Difficulty What It Does
NET-015 Stratum Mining Medium Sends realistic Stratum JSON-RPC mining protocol messages
NET-016 Mining Pool DNS Easy Resolves known mining pool domains (minexmr, nanopool)
NET-017 WebSocket Mining Hard Mining via WebSocket upgrade on standard ports

Protocol Abuse

ID Scenario Difficulty What It Does
NET-018 SQL Injection (PG) Medium UNION SELECT and pg_shadow queries via PostgreSQL wire protocol
NET-019 Redis Unauth Access Easy CONFIG GET *, KEYS *, CLIENT LIST on unauthenticated Redis
NET-020 Database Destruction Medium SELECT * (theft) then TRUNCATE (destruction) — ransomware pattern

Reconnaissance (TA0043)

ID Scenario Difficulty What It Does
NET-021 DNS Zone Enumeration Easy Brute-force DNS across namespaces with SRV lookups and AXFR attempts
NET-022 gRPC Reflection Enum Medium Probes gRPC server reflection to discover API surfaces

Difficulty Levels

Level Scenarios What Makes It Easy/Hard
Easy (5) Port scan, IMDS, mining DNS, Redis, DNS enum Unmistakable signals: known-bad IPs, ports, protocols
Medium (12) DGA, C2 beacon, DNS tunnel, API enum, SQL injection, ... Requires correlation: DNS entropy + domain names, protocol inspection
Hard (5) Encrypted C2, DoH bypass, header exfil, gRPC exfil, WS mining Mimics legitimate traffic, standard ports, low volume
./setup-k8s-mule.sh -s easy      # Start here
./setup-k8s-mule.sh -s medium    # For experienced teams
./setup-k8s-mule.sh -s hard      # All 22 — the full challenge

How to Detect

K8s Mule is tool-agnostic. Any network security tool that inspects Kubernetes traffic can be tested against these scenarios:

Any Network Security Tool

The scenarios generate standard traffic patterns detectable by:

  • NDR/NTA tools (Darktrace, ExtraHop, Vectra) — L4 flow anomalies, DNS analysis
  • CNAPPs (Wiz, Prisma Cloud, Aqua) — runtime threat detection
  • eBPF-based tools (Falco, Tetragon, Tracee) — syscall and network monitoring
  • SIEM (Splunk, Elastic) — with network flow ingestion
  • Manual analysis (Wireshark, tcpdump) — PCAP capture and inspection

With Kubeshark (Recommended)

Kubeshark provides the deepest visibility — real-time L7 protocol dissection of all cluster traffic including DNS, HTTP, PostgreSQL, Redis, gRPC, and 15+ other protocols. Combined with AI agent skills, it can run an automated security audit:

# Install Kubeshark
helm install kubeshark kubeshark/kubeshark

# Install the security-audit AI skill
git clone https://github.com/kubeshark/kubeshark
cp -r kubeshark/skills/security-audit ~/.claude/skills/

# Prompt your AI agent:
# "Run a security audit on the k8s-mule namespace and generate a PDF report"

The security-audit skill guides AI agents through an 8-phase systematic threat sweep covering all MITRE ATT&CK tactics, producing a PDF report with evidence and remediation recommendations.

Detection results from testing:

Test Detection Rate Notes
AI agent without skill 7/17 (41%) Found loud signals, missed protocol abuse
AI agent with security-audit skill 13/17 (76%) Caught SQL injection, Redis abuse, DGA, credential exfil

Scenario Design

Every scenario follows these principles:

  • Real attack techniques — based on MITRE ATT&CK, real-world incidents, and threat intelligence
  • Wire-visible — every scenario generates detectable network traffic (unlike config-only tools like Kubernetes Goat)
  • Innocent names — workloads are named batch-processor, telemetry-agent, backup-agent — not malicious-pod
  • No custom images — uses alpine:3.19 with inline commands, so you can read the "malware" directly in the YAML
  • Self-contained — no external dependencies, no real C2 servers, no actual mining

Advanced Usage

Deploy Specific Scenarios

# Only deploy the scenarios you want
helm install k8s-mule ./helm-chart \
  --set scenarios.net005_dns_tunnel.enabled=true \
  --set scenarios.net013_imds_access.enabled=true

# Custom namespace
./setup-k8s-mule.sh -n my-test-namespace

# Dry run — preview what would be deployed
./setup-k8s-mule.sh --dry-run

Answer Key

The full scenario catalog with MITRE ATT&CK mappings, detection methods, and KFL filter hints: helm-chart/scenarios.json

Adding Your Own Scenarios

See CONTRIBUTING.md for guidelines on adding new threat scenarios.

Architecture

k8s-mule/
├── helm-chart/
│   ├── Chart.yaml              # Helm chart metadata
│   ├── values.yaml             # Toggle individual scenarios
│   ├── scenarios.json          # Answer key (MITRE mappings, detection hints)
│   └── templates/
│       ├── net-NNN-*.yaml      # One template per threat scenario
│       └── infra-*.yaml        # Supporting services (PostgreSQL, Redis)
├── scenarios/
│   ├── easy.yaml               # 5 obvious threats
│   ├── medium.yaml             # 17 mixed difficulty
│   └── hard.yaml               # All 22
├── setup-k8s-mule.sh           # Deploy
└── teardown-k8s-mule.sh        # Clean up

Contributing

We welcome contributions. See CONTRIBUTING.md.

License

Apache License 2.0. See LICENSE.

About

Network threat simulation for Kubernetes. 22 attack scenarios mapped to MITRE ATT&CK.

Resources

License

Contributing

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors