Offensive Kubernetes tool executed

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1613-container-and-resource-discovery

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

A known Kubernetes attack tool has been executed.

Strategy

This rule identifies whenever a known tool used during Kubernetes penetration has been executed. These tools are often used to gather information about the Kubernetes environment to facilitate lateral movement and privilege escalation.

Triage and response

  1. Determine if the tool usage is authorized or part of an authorized penetration test.
  2. If the activity is not authorized, begin to look at activity surrounding the execution of the tool.
  3. Usage of many of these tools requires access to the Kubernetes API. Identify and revoke accounts used to execute the command.
  4. Begin the incident response process to find and revoke the initial access vector.

Requires Agent version 7.27 or greater

PREVIEWING: brett.blue/embedded-collector-release