Kubernetes pod creation with host network

Cortex XDR Analytics Alert Reference by data source
Last date published
2024-04-15
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

Attacker's Goals

  • Access services bound to localhost.
  • Sniff traffic on any interface on the host.
  • Bypass network policy.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any unusual access to localhost services.
  • Inspect for any network sniffing tool being used inside the Kubernetes Pod.

Variations

Kubernetes pod creation with host network for the first time in the cluster

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

Attacker's Goals

  • Access services bound to localhost.
  • Sniff traffic on any interface on the host.
  • Bypass network policy.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any unusual access to localhost services.
  • Inspect for any network sniffing tool being used inside the Kubernetes Pod.


Kubernetes pod creation with host network for the first time in the namespace

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

Attacker's Goals

  • Access services bound to localhost.
  • Sniff traffic on any interface on the host.
  • Bypass network policy.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any unusual access to localhost services.
  • Inspect for any network sniffing tool being used inside the Kubernetes Pod.


Kubernetes pod creation with host network for the first time by the identity

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

Attacker's Goals

  • Access services bound to localhost.
  • Sniff traffic on any interface on the host.
  • Bypass network policy.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any unusual access to localhost services.
  • Inspect for any network sniffing tool being used inside the Kubernetes Pod.