Potential Remote Command Execution In Pod Container

Mar 26, 2024 · attack.t1609 ·

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Sigma rule (View on GitHub)

 1title: Potential Remote Command Execution In Pod Container
 2id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
 3status: experimental
 4description: |
 5        Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
 6references:
 7    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
 8author: Leo Tsaousis (@laripping)
 9date: 2024/03/26
10tags:
11    - attack.t1609
12logsource:
13    category: application
14    product: kubernetes
15    service: audit
16detection:
17    selection:
18        verb: 'create'
19        objectRef.resource: 'pods'
20        objectRef.subresource: 'exec'
21    condition: selection
22falsepositives:
23    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
24level: medium

References

Exec into container - Threat Matrix for Kubernetes

Exec into container Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images,...

Read More

Related rules

Potential Sidecar Injection Into Running Deployment

Potential Remote Command Execution In Pod Container

Sigma rule (View on GitHub)

References

Exec into container - Threat Matrix for Kubernetes

Related rules