Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - API |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
Attacker's Goals
- Access services bound to localhost.
- Sniff traffic on any interface on the host.
- Bypass network policy.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any unusual access to localhost services.
- Inspect for any network sniffing tool being used inside the Kubernetes Pod.
Variations
Kubernetes pod creation with host network for the first time in the cluster
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
Attacker's Goals
- Access services bound to localhost.
- Sniff traffic on any interface on the host.
- Bypass network policy.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any unusual access to localhost services.
- Inspect for any network sniffing tool being used inside the Kubernetes Pod.
Kubernetes pod creation with host network for the first time in the namespace
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
Attacker's Goals
- Access services bound to localhost.
- Sniff traffic on any interface on the host.
- Bypass network policy.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any unusual access to localhost services.
- Inspect for any network sniffing tool being used inside the Kubernetes Pod.
Kubernetes pod creation with host network for the first time by the identity
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
Attacker's Goals
- Access services bound to localhost.
- Sniff traffic on any interface on the host.
- Bypass network policy.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any unusual access to localhost services.
- Inspect for any network sniffing tool being used inside the Kubernetes Pod.