GKE Container Created with Excessive Linux Capabilities

Detects GKE pod creation with dangerous Linux capabilities that are commonly abused in container escape techniques. Standalone pods are included; controller-owned ReplicaSet, DaemonSet, and StatefulSet workloads are excluded.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2026/06/30"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2026/06/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects GKE pod creation with dangerous Linux capabilities that are commonly abused in container escape techniques.
11Standalone pods are included; controller-owned ReplicaSet, DaemonSet, and StatefulSet workloads are excluded.
12"""
13false_positives = [
14    """
15    Some platform or security images legitimately require elevated capabilities. Add image or namespace exceptions after
16    review.
17    """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Container Created with Excessive Linux Capabilities"
23note = """## Triage and analysis
24
25### Investigating GKE Container Created with Excessive Linux Capabilities
26
27Capabilities such as SYS_ADMIN, NET_ADMIN, and BPF can enable host escape. Review `gcp.audit.request.spec.containers`
28and the creating identity.
29
30### Investigation steps
31
32- Confirm which capability was added and whether the image requires it.
33- Review `user.email`, namespace, and follow-on API activity from the same actor.
34
35### False positives
36
37- Known DaemonSet or operator images may need capabilities; exclude after validation.
38
39## Setup
40
41The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
42references = [
43    "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container",
44    "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities",
45]
46risk_score = 47
47rule_id = "a8a48752-58f3-43a9-beb5-14b9e9f6a8b0"
48severity = "medium"
49tags = [
50    "Domain: Cloud",
51    "Domain: Kubernetes",
52    "Data Source: GCP",
53    "Data Source: Google Cloud Platform",
54    "Use Case: Threat Detection",
55    "Tactic: Privilege Escalation",
56    "Tactic: Execution",
57    "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "query"
61
62query = '''
63data_stream.dataset:gcp.audit and event.action:"io.k8s.core.v1.pods.create" and event.outcome:success and
64gcp.audit.request.spec.containers.securityContext.capabilities.add:(
65  "BPF" or "DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or
66  "SYSLOG"
67) and not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
68'''
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72
73[[rule.threat.technique]]
74id = "T1611"
75name = "Escape to Host"
76reference = "https://attack.mitre.org/techniques/T1611/"
77
78[rule.threat.tactic]
79id = "TA0004"
80name = "Privilege Escalation"
81reference = "https://attack.mitre.org/tactics/TA0004/"
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85
86[[rule.threat.technique]]
87id = "T1610"
88name = "Deploy Container"
89reference = "https://attack.mitre.org/techniques/T1610/"
90
91[rule.threat.tactic]
92id = "TA0002"
93name = "Execution"
94reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Investigating GKE Container Created with Excessive Linux Capabilities

Capabilities such as SYS_ADMIN, NET_ADMIN, and BPF can enable host escape. Review gcp.audit.request.spec.containers and the creating identity.

Investigation steps

  • Confirm which capability was added and whether the image requires it.
  • Review user.email, namespace, and follow-on API activity from the same actor.

False positives

  • Known DaemonSet or operator images may need capabilities; exclude after validation.

Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

References

Related rules

to-top