Techniques
Sample rules
Kubernetes User Exec into Pod
- source: elastic
- technicques:
- T1609
Description
This rule detects a user attempt to establish a shell session into a pod using the ’exec’ command. Using the ’exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.
Detection logic
any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and
kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and
kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow"
Deprecated - Interactive Exec Command Launched Against A Running Container
- source: elastic
- technicques:
- T1059
- T1609
Description
This rule detects interactive ’exec’ events launched against a container using the ’exec’ command. Using the ’exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container’s shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
Detection logic
process where container.id : "*" and event.type== "start" and
/* use of kubectl exec to enter a container */
process.entry_leader.entry_meta.type : "container" and
/* process is the inital process run in a container */
process.entry_leader.same_as_process== true and
/* interactive process */
process.interactive == true