Kubernetes User Exec into Pod

 1[metadata]
 2creation_date = "2022/05/17"
 3integration = ["kubernetes"]
 4maturity = "production"
 5min_stack_comments = "New fields added to Kubernetes Integration"
 6min_stack_version = "8.4.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec'
13command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An
14adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has
15permissions to, including secrets.
16"""
17false_positives = [
18    """
19    An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
20    Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
21    inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
22    ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
23    cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
24    connected to the terminal: kubectl exec -i -t cassandra -- sh
25    """,
26]
27index = ["logs-kubernetes.*"]
28language = "kuery"
29license = "Elastic License v2"
30name = "Kubernetes User Exec into Pod"
31note = """## Setup
32
33The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
34references = [
35    "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
36    "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
37]
38risk_score = 47
39rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
40severity = "medium"
41tags = ["Data Source: Kubernetes", "Tactic: Execution"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset : "kubernetes.audit_logs"
47  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
48  and kubernetes.audit.verb:"create"
49  and kubernetes.audit.objectRef.resource:"pods"
50  and kubernetes.audit.objectRef.subresource:"exec"
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1609"
58name = "Container Administration Command"
59reference = "https://attack.mitre.org/techniques/T1609/"
60
61
62[rule.threat.tactic]
63id = "TA0002"
64name = "Execution"
65reference = "https://attack.mitre.org/tactics/TA0002/"