cluster operators or sres may legitimately use ephemeral containers for debugging production workloads. baseline approved admin identities and tune exclusions for known automation.

t1609
t1611
kubernetes
elastic

Techniques

T1609
T1611

Sample rules

Kubernetes Ephemeral Container Added to Pod

source: elastic
technicques:
- T1609
- T1611

Description

Detects allowed updates to the pods/ephemeralcontainers subresource by a non-system identity. Ephemeral containers are commonly used for debugging (kubectl debug) but can also be abused to inject tooling into a running pod, access mounted secrets, and execute commands in the target pod context. Attackers with sufficient RBAC may use ephemeral containers to escalate privileges, move laterally, or establish persistence without deploying a new workload.

Detection logic

data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"pods" and
kubernetes.audit.objectRef.subresource:"ephemeralcontainers" and
kubernetes.audit.verb:("update" or "patch") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:(
  system\:node\:* or
  system\:serviceaccount\:kube-system\:*
)