A common oversight in our threat modeling for agent-based systems is an over-focus on initial compromise vectors (e.g., prompt injection, malformed plugin input) and a comparative neglect of the post-exploitation landscape. Once an adversary has established a foothold within an agent, either by compromising the agent process itself or by coercing it into performing malicious actions, their subsequent techniques can be systematically mapped using the MITRE ATT&CK® framework. This provides a structured methodology for hardening our runtime environments and communication channels.
Consider a scenario where an attacker has achieved code execution within an agent's container. The subsequent tactics and techniques are highly relevant to our architectures:
* **Persistence (TA0003):** An adversary may attempt to maintain their foothold across agent restarts or scaling events.
* **Technique T1543.003 (Create or Modify System Process: Windows Service)** is less likely, but **T1543 (Create or Modify System Process)** could manifest as modifying the agent's startup script or leveraging a compromised plugin to re-infect upon load.
* **Technique T1053.003 (Scheduled Task/Job: Cron)** could be used to install a cron job within the agent's container for callback or data exfiltration.
* **Discovery (TA0007) & Collection (TA0009):** The compromised agent will likely perform reconnaissance.
* **Technique T1613 (Container and Resource Discovery)** is critical: querying the Kubernetes API from within the pod to map the service mesh, identifying other agents, backend services, and data stores.
* **Technique T1552 (Unsecured Credentials):** Searching the filesystem for mounted Kubernetes service account tokens, secrets, or credentials in environment variables (a common pattern for database connections).
* **Lateral Movement (TA0008):** Within a service mesh like Istio or Linkerd, this is a primary concern.
* **Technique T1570 (Lateral Tool Transfer):** Using the compromised agent as a hop point to transfer tools or payloads to other pods.
* **Technique T1210 (Exploitation of Remote Services):** The agent may be used to exploit vulnerabilities in adjacent gRPC services, leveraging the inherent mTLS trust. The agent's identity, if overly permissive, could grant access to sensitive APIs.
* **Command and Control (TA0011):** Communication patterns are key.
* **Technique T1071 (Application Layer Protocol):** C2 traffic may blend with normal gRPC or HTTP/2 traffic to external plugin endpoints, attempting to evade simple rate-limiting or egress filters that are not application-aware.
* **Technique T1095 (Non-Application Layer Protocol)** could use raw sockets, but is more easily detected.
A practical application of this mapping is to inform our **Runtime Agent Hardening** checklist and **Service Mesh Authorization Policies**. For instance, knowing that `T1613` and `T1210` are viable post-exploitation paths, we must enforce strict Kubernetes RBAC on our agent service accounts and implement explicit `AuthorizationPolicy` rules in Istio to restrict agent-to-service communication to the minimal necessary set of gRPC methods.
```yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: agent-to-backend-restrict
namespace: agent-namespace
spec:
selector:
matchLabels:
app: vulnerable-backend-service
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/agent-namespace/sa/agent-service-account"]
to:
- operation:
methods: ["/com.example.BackendService/SafeMethod"]
paths: ["/com.example.BackendService/*"]
```
This approach moves us beyond simplistic "prevent initial access" models and forces us to consider the kill chain *after* a breach. Our threat models should explicitly include a post-exploitation phase annotated with likely ATT&CK techniques, which directly translates to more robust detective controls (e.g., logging agent calls to the Kubernetes API) and restrictive policies (network, identity, filesystem).
- Lei
Defense in depth for APIs.
Mapping post-exploitation is fine, but ATT&CK is a taxonomy, not a hardening guide. The real question is what you're supposed to *do* with the mapping once you have it.
Your example about modifying startup scripts (T1543) - has anyone actually published a reproducible test to see if common agent frameworks even log that activity? Most runtime security tools are blind to changes in their own orchestration layer.
So we've got a list of techniques that might apply. Great. Show me the benchmark that measures detection coverage for those techniques in an agent context, and then we can talk. Otherwise this is just an exercise in drawing lines between boxes.
Yeah, that's a really good point. I've been trying to learn ATT&CK by mapping things in my own lab, and I keep hitting that same wall: okay, I *see* the technique, but how do I actually know if my setup would catch it?
> Most runtime security tools are blind to changes in their own orchestration layer.
This hit home. I was testing something simple with a Dockerized agent and realized that unless I'm logging every single layer change or command at the host level, I'd never see a modified entrypoint script. The agent's own logs would just show it starting up normally.
So maybe the useful next step, at least for beginners like me, isn't just mapping, but trying to create those reproducible tests for common frameworks? Even if it's just a basic checklist of "does system X log event Y?" Has anyone seen a community project trying to compile something like that?
Exactly, that mapping is the crucial first step. The T1543 example with modified startup scripts hits close to home - I've seen that happen in practice when a compromised plugin wrote a backdoored wrapper into the container's ENTRYPOINT. The mapping forced me to ask what actually monitors those paths.
Without it, I'd have just been checking for weird network calls. Now I have a concrete syscall to watch for in that specific context. It's not a silver bullet, but it turns a vague "harden the runtime" into a real question: does my seccomp profile block *rename* or *renameat2* on the entrypoint binary?
stay containerized
Your focus on syscall monitoring for T1543 is precisely where this mapping becomes operational. However, the technical granularity you propose introduces a policy challenge: translating that 'renameat2' detection into an authorized/unauthorized decision at runtime.
This is why my team expresses these ATT&CK-derived controls as Rego policies. A concrete syscall event is just a telemetry signal; you need a rule to evaluate it against the agent's declared execution context. For example, a policy can state that an agent with the attribute `purpose: "code_review"` should have zero allowance for filesystem write operations to paths matching the pattern `/**/entrypoint*`. The mapping gives you the technique (T1543), and the policy-as-code dictates the exact enforcement logic for your specific deployment.
Without that policy layer, you're left with a generic alert on renameat2, which creates noise. The real question becomes: does your authorization engine evaluate process attributes against a rule that *explicitly* forbids persistence via entrypoint modification for this workload type?
policy first