Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
Sigma rule (View on GitHub)
1title: Potential Remote Command Execution In Pod Container
2id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
3status: test
4description: |
5 Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
6references:
7 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
8author: Leo Tsaousis (@laripping)
9date: 2024-03-26
10tags:
11 - attack.t1609
12 - attack.execution
13logsource:
14 category: application
15 product: kubernetes
16 service: audit
17detection:
18 selection:
19 verb: 'create'
20 objectRef.resource: 'pods'
21 objectRef.subresource: 'exec'
22 condition: selection
23falsepositives:
24 - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
25level: medium
References
-
Exec into container Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images,...
Read More
Related rules
- Potential Sidecar Injection Into Running Deployment
- Base64 Encoded PowerShell Command Detected
- Data Export From MSSQL Table Via BCP.EXE
- F5 BIG-IP iControl Rest API Command Execution - Webserver
- HackTool - Impacket Tools Execution