Detectionmediumtest

Potential Sidecar Injection Into Running Deployment

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Leo TsaousisCreated Tue Mar 26ad9012a6-e518-4432-9890-f3b82b8fc71fapplication

Log Source

Kubernetesapplicationaudit

ProductKubernetes← raw: kubernetes

Categoryapplication← raw: application

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        verb: 'patch'
        apiGroup: 'apps'
        objectRef.resource: 'deployments'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Techniques

T1609 · Container Administration Command

Rule Metadata

Rule ID

ad9012a6-e518-4432-9890-f3b82b8fc71f

Status

test

Level

medium

Type

Detection

Created

Tue Mar 26

Author

Leo Tsaousis

Path

rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml

Raw Tags

attack.t1609attack.execution

View on GitHub