Pod or Container Creation with Suspicious Command-Line

calendar Dec 3, 2025 · Domain: Endpoint Domain: Container OS: Linux Use Case: Threat Detection Tactic: Execution Tactic: Privilege Escalation Tactic: Persistence Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: Auditd Manager Data Source: Crowdstrike Data Source: SentinelOne  ·
Share on: linkedin copy

This rule detects the creation of pods or containers that execute suspicious commands often associated with persistence or privilege escalation techniques. Attackers may use container orchestration tools like kubectl or container runtimes like docker to create pods or containers that run shell commands with arguments that indicate attempts to establish persistence (e.g., modifying startup scripts, creating backdoors).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/12/01"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/12/01"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the creation of pods or containers that execute suspicious commands often associated with persistence or
 11privilege escalation techniques. Attackers may use container orchestration tools like kubectl or container runtimes like
 12docker to create pods or containers that run shell commands with arguments that indicate attempts to establish persistence
 13(e.g., modifying startup scripts, creating backdoors).
 14"""
 15from = "now-9m"
 16index = [
 17    "auditbeat-*",
 18    "endgame-*",
 19    "logs-auditd_manager.auditd-*",
 20    "logs-crowdstrike.fdr*",
 21    "logs-endpoint.events.process*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Pod or Container Creation with Suspicious Command-Line"
 27risk_score = 47
 28rule_id = "c595363f-52a6-49e1-9257-0e08ae043dbd"
 29severity = "medium"
 30tags = [
 31    "Domain: Endpoint",
 32    "Domain: Container",
 33    "OS: Linux",
 34    "Use Case: Threat Detection",
 35    "Tactic: Execution",
 36    "Tactic: Privilege Escalation",
 37    "Tactic: Persistence",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Elastic Endgame",
 40    "Data Source: Auditd Manager",
 41    "Data Source: Crowdstrike",
 42    "Data Source: SentinelOne",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46query = '''
 47process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
 48  (process.name == "kubectl" and process.args == "run" and process.args == "--restart=Never" and process.args == "--") or
 49  (process.name in ("docker", "nerdctl", "ctl") and process.args == "run")
 50) and 
 51process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
 52process.command_line like~ (
 53  "*atd*", "*cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *",
 54  "*/etc/profile*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*autostart*", "*xxd *", "*/etc/shadow*", "*./.*",
 55  "*import*pty*spawn*", "*import*subprocess*call*", "*TCPSocket.new*", "*TCPSocket.open*", "*io.popen*", "*os.execute*", "*fsockopen*",
 56  "*disown*", "* ncat *", "* nc *", "* netcat *",  "* nc.traditional *", "*socat*", "*telnet*", "*/tmp/*", "*/dev/shm/*", "*/var/tmp/*",
 57  "*/boot/*", "*/sys/*", "*/lost+found/*", "*/media/*", "*/proc/*", "*/var/backups/*", "*/var/log/*", "*/var/mail/*", "*/var/spool/*"
 58)
 59'''
 60
 61[[rule.threat]]
 62framework = "MITRE ATT&CK"
 63
 64[[rule.threat.technique]]
 65id = "T1059"
 66name = "Command and Scripting Interpreter"
 67reference = "https://attack.mitre.org/techniques/T1059/"
 68
 69[[rule.threat.technique.subtechnique]]
 70id = "T1059.004"
 71name = "Unix Shell"
 72reference = "https://attack.mitre.org/techniques/T1059/004/"
 73
 74[[rule.threat.technique]]
 75id = "T1609"
 76name = "Container Administration Command"
 77reference = "https://attack.mitre.org/techniques/T1609/"
 78
 79[rule.threat.tactic]
 80id = "TA0002"
 81name = "Execution"
 82reference = "https://attack.mitre.org/tactics/TA0002/"
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86
 87[[rule.threat.technique]]
 88id = "T1611"
 89name = "Escape to Host"
 90reference = "https://attack.mitre.org/techniques/T1611/"
 91
 92[rule.threat.tactic]
 93id = "TA0004"
 94name = "Privilege Escalation"
 95reference = "https://attack.mitre.org/tactics/TA0004/"
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99
100[[rule.threat.technique]]
101id = "T1053"
102name = "Scheduled Task/Job"
103reference = "https://attack.mitre.org/techniques/T1053/"
104
105[[rule.threat.technique.subtechnique]]
106id = "T1053.002"
107name = "At"
108reference = "https://attack.mitre.org/techniques/T1053/002/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1053.003"
112name = "Cron"
113reference = "https://attack.mitre.org/techniques/T1053/003/"
114
115[rule.threat.tactic]
116id = "TA0003"
117name = "Persistence"
118reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top