Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - API |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.
This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.
Attacker's Goals
Access data used by other pods that use the host's IPC namespace.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any files in the /dev/shm shared memory location.
- Inspect for any IPC facilities being used with /usr/bin/ipcs.
Variations
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the clusterKubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity