Detectionmediumtest

Potential Remote Command Execution In Pod Container

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Leo TsaousisCreated Tue Mar 26a1b0ca4e-7835-413e-8471-3ff2b8a66be6application

Log Source

Kubernetesapplicationaudit

ProductKubernetes← raw: kubernetes

Categoryapplication← raw: application

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.subresource: 'exec'
    condition: selection

False Positives

Legitimate debugging activity. Investigate the identity performing the requests and their authorization.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

a1b0ca4e-7835-413e-8471-3ff2b8a66be6

Status

test

Level

medium

Type

Detection

Created

Tue Mar 26

Author

Path

rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml

Raw Tags

attack.t1609attack.execution