Creation Of Pod In System Namespace

calendar Mar 26, 2024 · attack.t1036.005  ·
Share on: linkedin copy

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Sigma rule (View on GitHub)

 1title: Creation Of Pod In System Namespace
 2id: a80d927d-ac6e-443f-a867-e8d6e3897318
 3status: experimental
 4description: |
 5    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
 6    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
 7    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
 8    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.    
 9references:
10    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
11author: Leo Tsaousis (@laripping)
12date: 2024/03/26
13tags:
14    - attack.t1036.005
15logsource:
16    category: application
17    product: kubernetes
18    service: audit
19detection:
20    selection:
21        verb: 'create'
22        objectRef.resource: 'pods'
23        objectRef.namespace: kube-system
24    condition: selection
25falsepositives:
26    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
27level: medium

References

Related rules

to-top