Kubernetes User Exec into Pod
This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/05/17"
3integration = ["kubernetes"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec'
11command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An
12adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has
13permissions to, including secrets.
14"""
15false_positives = [
16 """
17 An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
18 Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
19 inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
20 ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
21 cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
22 connected to the terminal: kubectl exec -i -t cassandra -- sh
23 """,
24]
25index = ["logs-kubernetes.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "Kubernetes User Exec into Pod"
29note = """## Setup
30
31The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
32references = [
33 "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
34 "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
35]
36risk_score = 47
37rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
38severity = "medium"
39tags = ["Data Source: Kubernetes", "Tactic: Execution"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset : "kubernetes.audit_logs"
45 and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
46 and kubernetes.audit.verb:"create"
47 and kubernetes.audit.objectRef.resource:"pods"
48 and kubernetes.audit.objectRef.subresource:"exec"
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1609"
56name = "Container Administration Command"
57reference = "https://attack.mitre.org/techniques/T1609/"
58
59
60[rule.threat.tactic]
61id = "TA0002"
62name = "Execution"
63reference = "https://attack.mitre.org/tactics/TA0002/"
Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.
References
-
This page explains how to debug Pods running (or crashing) on a Node. Before you begin Your Pod should already be scheduled and running. If your Pod is not yet running, start with Debugging Pods. For some of the advanced debugging steps you need to know on which Node the Pod is running and have shell access to run commands on that Node. You don't need that access to run the standard debug steps that use kubectl.
Read More -
This page shows how to use kubectl exec to get a shell to a running container. Before you begin You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
Read More
Related rules
- Kubernetes Anonymous Request Authorized
- Kubernetes Container Created with Excessive Linux Capabilities
- Kubernetes Exposed Service Created With Type NodePort
- Kubernetes Pod Created With HostIPC
- Kubernetes Pod Created With HostNetwork