User Exec into a Pod

kubernetes

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

Set up the kubernetes integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a user execs into a pod.

Strategy

This rule monitors when a user execs (@objectRef.subresource:exec) into to a pod (@objectRef.resource:pods).

A user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running. It is most common to execute the bash process to gain an interactive shell. If this is an attacker, they can access any data which the pod has permissions to, including secrets.

Triage and response

Determine if the user should be execing into a running container.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 17 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
  • 5 March 2024 - Updated detection query for Google Kubernetes Engine to include the event io.k8s.core.v1.pods.exec.get.
PREVIEWING: brett.blue/embedded-collector-release