Creation Of Pod In System Namespace

calendar May 20, 2025 · attack.defense-evasion attack.t1036.005  ·
Share on: linkedin copy

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Sigma rule (View on GitHub)

 1title: Creation Of Pod In System Namespace
 2id: a80d927d-ac6e-443f-a867-e8d6e3897318
 3status: test
 4description: |
 5    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
 6    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
 7    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
 8    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.    
 9references:
10    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
11author: Leo Tsaousis (@laripping)
12date: 2024-03-26
13tags:
14    - attack.defense-evasion
15    - attack.t1036.005
16logsource:
17    category: application
18    product: kubernetes
19    service: audit
20detection:
21    selection:
22        verb: 'create'
23        objectRef.resource: 'pods'
24        objectRef.namespace: kube-system
25    condition: selection
26falsepositives:
27    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
28level: medium

References

Related rules

to-top