Execution of command from within a Kubernetes pod using kubelet credentials

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-03-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Kubernetes - AGENT

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Access Token Manipulation (T1134)

Severity

Low

Description

A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.

Variations

Unusual execution of command from within a Kubernetes pod using kubelet credentials

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Access Token Manipulation (T1134)

Severity

Medium

Description

A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.