Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - API |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity created a Kubernetes pod with the host process ID (PID) namespace.
This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
Attacker's Goals
- View processes on the host.
- View the environment variables for each pod on the host.
- View the file descriptors for each pod on the host.
- Kill processes on the node.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Variations
Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity created a Kubernetes pod with the host process ID (PID) namespace.
This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
Attacker's Goals
- View processes on the host.
- View the environment variables for each pod on the host.
- View the file descriptors for each pod on the host.
- Kill processes on the node.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity created a Kubernetes pod with the host process ID (PID) namespace.
This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
Attacker's Goals
- View processes on the host.
- View the environment variables for each pod on the host.
- View the file descriptors for each pod on the host.
- Kill processes on the node.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity created a Kubernetes pod with the host process ID (PID) namespace.
This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
Attacker's Goals
- View processes on the host.
- View the environment variables for each pod on the host.
- View the file descriptors for each pod on the host.
- Kill processes on the node.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.