Techniques
Sample rules
Kubernetes User Exec into Pod
- source: elastic
- technicques:
- T1609
Description
This rule detects a user attempt to establish a shell session into a pod using the ’exec’ command. Using the ’exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.
Detection logic
any where event.dataset == "kubernetes.audit_logs" and
kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and
kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow"
and kubernetes.audit.level == "Request"
Interactive Exec Into Container Detected via Defend for Containers
- source: elastic
- technicques:
- T1059
- T1609
Description
This rule detects interactive ’exec’ events launched against a container using the ’exec’ command. Using the ’exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container’s shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.entry_leader.entry_meta.type == "container" and
/* process is the inital process run in a container */
process.entry_leader.same_as_process == true and
/* interactive process */
process.interactive == true and container.id like "*"