Linux & Cloud Detection Engineering - TeamPCP Container Attack Scenario

This report analyzes a TeamPCP cloud-native intrusion scenario, tracing an end-to-end container compromise: initial download-and-pipe execution, Kubernetes discovery and API abuse, lateral movement via a kube.py script, attempts at persistence (systemd), runtime tooling installation, tunneling/proxy establishment, base64-encoded payload reconstruction, miner deployment for monetization, and escalation to node-level control via privileged DaemonSets; the analysis maps these behaviors to detection rules and the MITRE ATT&CK framework to demonstrate detection engineering for container and control-plane telemetry.