Kubernetes Ephemeral Container Added to Pod

  1[metadata]
  2creation_date = "2026/05/07"
  3integration = ["kubernetes"]
  4maturity = "production"
  5updated_date = "2026/05/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects allowed updates to the pods/ephemeralcontainers subresource by a non-system identity. Ephemeral containers are
 11commonly used for debugging (kubectl debug) but can also be abused to inject tooling into a running pod, access mounted
 12secrets, and execute commands in the target pod context. Attackers with sufficient RBAC may use ephemeral containers to
 13escalate privileges, move laterally, or establish persistence without deploying a new workload.
 14"""
 15false_positives = [
 16    """
 17    Cluster operators or SREs may legitimately use ephemeral containers for debugging production workloads. Baseline
 18    approved admin identities and tune exclusions for known automation.
 19    """,
 20]
 21from = "now-9m"
 22index = ["logs-kubernetes.audit_logs-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "Kubernetes Ephemeral Container Added to Pod"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Kubernetes Ephemeral Container Added to Pod
 32
 33Ephemeral containers allow adding a container to an existing pod for troubleshooting. When abused, they can be used to
 34gain interactive access to a workload, read sensitive files, and run tools that were not present in the original image.
 35
 36### Possible investigation steps
 37
 38- Review the actor (user.name, groups), source.ip, and user_agent.original and confirm the identity is authorized to use ephemeral containers.
 39- Inspect kubernetes.audit.objectRef (namespace, name) to identify the targeted pod and workload owner.
 40- If request bodies are captured, review the ephemeral container image, command, and securityContext for privilege indicators.
 41- Correlate with follow-on audit activity such as pod exec, secret reads, TokenRequest, or RBAC modifications.
 42
 43### Response and remediation
 44
 45- If unauthorized, remove excessive RBAC that grants update/patch on pods/ephemeralcontainers and rotate exposed credentials.
 46- Quarantine or redeploy impacted workloads and hunt for additional compromised pods or identities.
 47"""
 48references = [
 49    "https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/",
 50]
 51risk_score = 47
 52rule_id = "c62733ff-9373-4fdf-9733-3d992e148c93"
 53severity = "medium"
 54tags = [
 55    "Data Source: Kubernetes",
 56    "Domain: Kubernetes",
 57    "Use Case: Threat Detection",
 58    "Tactic: Privilege Escalation",
 59    "Tactic: Execution",
 60    "Resources: Investigation Guide",
 61]
 62timestamp_override = "event.ingested"
 63type = "query"
 64query = '''
 65data_stream.dataset:"kubernetes.audit_logs" and 
 66kubernetes.audit.objectRef.resource:"pods" and
 67kubernetes.audit.objectRef.subresource:"ephemeralcontainers" and
 68kubernetes.audit.verb:("update" or "patch") and
 69kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
 70not user.name:(
 71  system\:node\:* or
 72  system\:serviceaccount\:kube-system\:*
 73)
 74'''
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78
 79[[rule.threat.technique]]
 80id = "T1611"
 81name = "Escape to Host"
 82reference = "https://attack.mitre.org/techniques/T1611/"
 83
 84[rule.threat.tactic]
 85id = "TA0004"
 86name = "Privilege Escalation"
 87reference = "https://attack.mitre.org/tactics/TA0004/"
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1609"
 94name = "Container Administration Command"
 95reference = "https://attack.mitre.org/techniques/T1609/"
 96
 97[rule.threat.tactic]
 98id = "TA0002"
 99name = "Execution"
100reference = "https://attack.mitre.org/tactics/TA0002/"