LoFP / security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. coordinate allowlists and maintenance windows with platform/secops teams. please update a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems if your environment has additional known offensive tools that are not included in the macro.

Techniques

• T1204.003

Sample rules

Cisco Isovalent - Pods Running Offensive Tools

• source: splunk
• technicques:
  • T1204.003

Description

The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named linux_offsec_tool_processes that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.

Detection logic

`cisco_isovalent_process_exec`  `linux_offsec_tool_processes`

| stats count 
        min(_time) as firstTime 
        max(_time) as lastTime 
        values(process) as process
    by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_isovalent___pods_running_offensive_tools_filter`