Techniques
Sample rules
Interactive Exec Command Launched Against A Running Container
- source: elastic
- technicques:
- T1059
- T1609
Description
This rule detects interactive ’exec’ events launched against a container using the ’exec’ command. Using the ’exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container’s shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
Detection logic
process where container.id : "*" and event.type== "start" and
/* use of kubectl exec to enter a container */
process.entry_leader.entry_meta.type : "container" and
/* process is the inital process run in a container */
process.entry_leader.same_as_process== true and
/* interactive process */
process.interactive == true
Kubernetes User Exec into Pod
- source: elastic
- technicques:
- T1609
Description
This rule detects a user attempt to establish a shell session into a pod using the ’exec’ command. Using the ’exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.
Detection logic
event.dataset : "kubernetes.audit_logs"
and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
and kubernetes.audit.verb:"create"
and kubernetes.audit.objectRef.resource:"pods"
and kubernetes.audit.objectRef.subresource:"exec"