Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - API |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity created a Kubernetes pod with a privileged container.
This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.
Attacker's Goals
- Gain access to the host's filesystem.
- Gain root access to the host.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Variations
Kubernetes Privileged Pod Creation for the first time in the clusterKubernetes Privileged Pod Creation for the first time in the namespace
Kubernetes Privileged Pod Creation for the first time by the identity