S0683: Peirates
Analyst context for executives and security teams
Peirates matters because it is a publicly available post-exploitation framework focused on Kubernetes environments, especially gathering service account tokens that can enable lateral movement and privilege escalation. For leaders, the practical issue is not the tool name itself, but whether container, cloud identity, and storage controls would expose or limit abuse of Kubernetes service accounts after an initial compromise.
Executive priority
Treat this as a cloud/container resilience and identity-control validation item. The ATT&CK relationships connect Peirates to token theft, cloud account abuse, container administration, container deployment, discovery, cloud storage access, and possible escape-to-host behavior. Executives should ask whether Kubernetes service accounts are least-privileged, whether token use is auditable, whether cloud storage access is attributable, and whether SOC/IR teams can reconstruct API-driven activity across clusters and cloud services.
Technical view
SOC and IR teams should validate visibility around Kubernetes and container control-plane activity rather than relying on a signature for Peirates, since ATT&CK provides no official detection text. Prioritize detection engineering around service account token access and use, Kubernetes API enumeration, container administration commands, deployment of new containers, cloud metadata API access, cloud storage enumeration/access, and unusual network service discovery from containers. ATT&CK records that TeamTNT uses this tool, and the tool uses techniques including T1528, T1550.001, T1552.007, T1609, T1610, T1611, T1613, T1046, T1530, T1552.005, T1078.004, and T1619.
Likely telemetry
- Kubernetes API server audit logs for service account use, resource enumeration, pod/deployment changes, and exec/admin actions
- Container runtime, kubelet, Docker API, and orchestration logs where available
- Cloud IAM and service account authentication/authorization logs
- Application access token issuance, use, and anomalous reuse evidence
- Cloud instance metadata API access from workloads or containers
Detection direction
- Build behavior-based detections around Kubernetes API enumeration, token access, and service account use outside expected workload patterns.
- Correlate container administration commands and new container deployments with the identity or service account that initiated them.
- Tune for false positives from legitimate cluster automation, CI/CD systems, platform operators, and monitoring tools that enumerate resources or deploy containers.
- Validate whether cloud storage discovery and access can be tied back to Kubernetes workload identities or cloud accounts.
- Look for gaps where API audit logging, metadata API access logging, container runtime telemetry, or cloud storage data-plane logging is not enabled.
Mitigation priorities
- Apply least privilege to Kubernetes service accounts and cloud accounts, especially permissions that allow token access, resource enumeration, container deployment, and cloud storage access.
- Restrict and monitor access to Kubernetes, Docker, kubelet, and other container administration APIs.
- Harden workload identity and token handling so tokens are not broadly mounted, exposed, or reusable beyond intended scope.
- Limit metadata API exposure from workloads where supported by the environment and monitor access to sensitive metadata endpoints.
- Use network policy and segmentation to reduce service discovery and lateral movement opportunities from containers.
Analyst notes and limits
This take is based on the official ATT&CK software object for Peirates, its public GitHub reference, and ATT&CK relationships to related techniques and TeamTNT. The most decision-relevant theme is identity-driven movement in Kubernetes and cloud environments after compromise.
ATT&CK provides no official detection guidance for this object, the tool’s tactics are not specified on the object, and the supplied references do not establish local exposure or active exploitation. Local architecture, logging configuration, RBAC design, cloud provider controls, and workload identity patterns are required to assess actual risk and coverage.
Peirates
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1613 | Container and Resource Discovery | Peirates can enumerate Kubernetes pods in a given namespace.CitationPeirates GitHub |
| Enterprise | T1609 | Container Administration Command | Peirates can use `kubectl` or the Kubernetes API to run commands.CitationPeirates GitHub |
| Enterprise | T1611 | Escape to Host | Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath.CitationPeirates GitHub |
| Enterprise | T1550.001 | Application Access Token Sub-technique | Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.CitationPeirates GitHub |
| Enterprise | T1530 | Data from Cloud Storage | Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3.CitationPeirates GitHub |
| Enterprise | T1046 | Network Service Discovery | Peirates can initiate a port scan against a given IP address.CitationPeirates GitHub |
| Enterprise | T1610 | Deploy Container | Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node.CitationPeirates GitHub |
| Enterprise | T1552.007 | Container API Sub-technique | Peirates can query the Kubernetes API for secrets.CitationPeirates GitHub |
| Enterprise | T1619 | Cloud Storage Object Discovery | Peirates can list AWS S3 buckets.CitationPeirates GitHub |
| Enterprise | T1552.005 | Cloud Instance Metadata API Sub-technique | Peirates can query the query AWS and GCP metadata APIs for secrets.CitationPeirates GitHub |
| Enterprise | T1528 | Steal Application Access Token | Peirates gathers Kubernetes service account tokens using a variety of techniques.CitationPeirates GitHub |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Peirates can use stolen service account tokens to perform its operations.CitationPeirates GitHub |
Groups, software, and campaigns
G0139: TeamTNT
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6f5edeb9097c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Peirates GitHub
InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
Open source URL -
[2]
mitre-attack S0683Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.