Detectionmediumtest

Creation Of Pod In System Namespace

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Leo TsaousisCreated Tue Mar 26a80d927d-ac6e-443f-a867-e8d6e3897318application

Log Source

Kubernetesapplicationaudit

ProductKubernetes← raw: kubernetes

Categoryapplication← raw: application

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.namespace: kube-system
    condition: selection

False Positives

System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace

References

Resolving title…

microsoft.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.005 · Match Legitimate Name or Location

Rule Metadata

Rule ID

a80d927d-ac6e-443f-a867-e8d6e3897318

Status

test

Level

medium

Type

Detection

Created

Tue Mar 26

Author

Leo Tsaousis

Path

rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml

Raw Tags

attack.defense-evasionattack.t1036.005

View on GitHub