LoFP LoFP / this activity may be triggered by legitimate administrative scripts, container images, or third-party operators that use cron for scheduled tasks, so please investigate the alert in context to rule out benign operations.

Techniques

Sample rules

Cisco Isovalent - Shell Execution

Description

The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster’s security and integrity.

Detection logic

`cisco_isovalent_process_exec` process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell")

| stats count by cluster_name parent_process_name process_name process_exec process_id node_name 
| `cisco_isovalent___shell_execution_filter`

Cisco Isovalent - Curl Execution With Insecure Flags

Description

The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or –insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information.

Detection logic

`cisco_isovalent_process_exec`  process_name="curl"  

| regex process="(?i)(?<!\w)-(?:[a-z]*k[a-z]*
|-(insecure
|proxy-insecure
|doh-insecure))"

| stats count min(_time) as firstTime max(_time) as lastTime values(process) as process
    by cluster_name pod_name parent_process_name process_name process_exec process_id node_name

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_isovalent___curl_execution_with_insecure_flags_filter`

Cisco Isovalent - Late Process Execution

Description

Detects process executions that occur well after a container has initialized, which can indicate suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling). The analytic compares the process start time to the container start time and flags processes launched more than 5 minutes (300 seconds) after initialization.

Detection logic

`cisco_isovalent_process_exec` process_name="sh"

| rename process_exec.process.start_time as ProcessStartTime 

| rename process_exec.process.pod.container.start_time as ContainerStartTime 

| eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q")

| eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q")

| eval ContainerTime5min=relative_time(ContainerStartTime, "+5m")

| where ProcessStartTime > ContainerTime5min

| table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min 
| `security_content_ctime(ProcessStartTime)`

| `security_content_ctime(ContainerTime5min)`

| `cisco_isovalent___late_process_execution_filter`

Cisco Isovalent - Cron Job Creation

Description

The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.

Detection logic

`cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab")

| search pod_name!=""

| stats count 
        min(_time) as firstTime 
        max(_time) as lastTime 
        values(process) as process
    by cluster_name pod_name parent_process_name process_name process_exec process_id node_name

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_isovalent___cron_job_creation_filter`