LoFP / legitimate debugging activity. investigate the identity performing the requests and their authorization.

Techniques

• t1609

Sample rules

Potential Remote Command Execution In Pod Container

• source: sigma
• technicques:
  • t1609

Description

Detects attempts to execute remote commands, within a Pod’s container using e.g. the “kubectl exec” command.

Detection logic

condition: selection
selection:
  objectRef.resource: pods
  objectRef.subresource: exec
  verb: create