GKE Container Created with Excessive Linux Capabilities
Detects GKE pod creation with dangerous Linux capabilities that are commonly abused in container escape techniques. Standalone pods are included; controller-owned ReplicaSet, DaemonSet, and StatefulSet workloads are excluded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects GKE pod creation with dangerous Linux capabilities that are commonly abused in container escape techniques.
11Standalone pods are included; controller-owned ReplicaSet, DaemonSet, and StatefulSet workloads are excluded.
12"""
13false_positives = [
14 """
15 Some platform or security images legitimately require elevated capabilities. Add image or namespace exceptions after
16 review.
17 """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Container Created with Excessive Linux Capabilities"
23note = """## Triage and analysis
24
25### Investigating GKE Container Created with Excessive Linux Capabilities
26
27Capabilities such as SYS_ADMIN, NET_ADMIN, and BPF can enable host escape. Review `gcp.audit.request.spec.containers`
28and the creating identity.
29
30### Investigation steps
31
32- Confirm which capability was added and whether the image requires it.
33- Review `user.email`, namespace, and follow-on API activity from the same actor.
34
35### False positives
36
37- Known DaemonSet or operator images may need capabilities; exclude after validation.
38
39## Setup
40
41The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
42references = [
43 "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container",
44 "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities",
45]
46risk_score = 47
47rule_id = "a8a48752-58f3-43a9-beb5-14b9e9f6a8b0"
48severity = "medium"
49tags = [
50 "Domain: Cloud",
51 "Domain: Kubernetes",
52 "Data Source: GCP",
53 "Data Source: Google Cloud Platform",
54 "Use Case: Threat Detection",
55 "Tactic: Privilege Escalation",
56 "Tactic: Execution",
57 "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "query"
61
62query = '''
63data_stream.dataset:gcp.audit and event.action:"io.k8s.core.v1.pods.create" and event.outcome:success and
64gcp.audit.request.spec.containers.securityContext.capabilities.add:(
65 "BPF" or "DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or
66 "SYSLOG"
67) and not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
68'''
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72
73[[rule.threat.technique]]
74id = "T1611"
75name = "Escape to Host"
76reference = "https://attack.mitre.org/techniques/T1611/"
77
78[rule.threat.tactic]
79id = "TA0004"
80name = "Privilege Escalation"
81reference = "https://attack.mitre.org/tactics/TA0004/"
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85
86[[rule.threat.technique]]
87id = "T1610"
88name = "Deploy Container"
89reference = "https://attack.mitre.org/techniques/T1610/"
90
91[rule.threat.tactic]
92id = "TA0002"
93name = "Execution"
94reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating GKE Container Created with Excessive Linux Capabilities
Capabilities such as SYS_ADMIN, NET_ADMIN, and BPF can enable host escape. Review gcp.audit.request.spec.containers
and the creating identity.
Investigation steps
- Confirm which capability was added and whether the image requires it.
- Review
user.email, namespace, and follow-on API activity from the same actor.
False positives
- Known DaemonSet or operator images may need capabilities; exclude after validation.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Pod Created With HostIPC
- GKE Pod Created With HostNetwork
- GKE Pod Created With HostPID
- GKE Pod Created with a Sensitive hostPath Volume
- GKE Privileged Pod Created