This talk aims to showcase distinct post-exploitation scenarios leveraging Kubernetes. We’ll demonstrate how attackers can stay hidden after compromising a K8s cluster. By digging into an attack scenario to show different ways attackers can use to exploit your K8s cluster. We’ll start from a compromised pod to showcase different privilege escalation methods. We’ll showcase techniques attackers can use to avoid detection with sidecar containers, leveraging a new technique called sidecar container injection, in which the attacker stays undetected by injecting their malware inside a sidecar container or even deploying a new one, compromising the victim’s cluster and staying stealth at the same time. After that, we’ll demo how to leverage audit logs and indicators of compromise together with security features to detect these scenarios and leverage runtime security tools to deploy rules to detect such attacks.