Suspicious container runtime connection from within a Kubernetes Pod

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-09-24
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Kubernetes - AGENT, Containers

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

Informational

Description

A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.
This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.

Attacker's Goals

Escape from a container to the host machine and expand the foothold in the network.

Investigative actions

  • Change the container socket configuration.
  • Check if the default docker daemon binding to TCP changed - if it did, every non-root user might access the container.

Variations

Suspicious container runtime connection from within a Kubernetes Pod using the curl client

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

Low

Description

A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.
This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.

Attacker's Goals

Escape from a container to the host machine and expand the foothold in the network.

Investigative actions

  • Change the container socket configuration.
  • Check if the default docker daemon binding to TCP changed - if it did, every non-root user might access the container.


Suspicious container runtime connection from within a Kubernetes Pod using the docker client

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

Medium

Description

A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.
This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.

Attacker's Goals

Escape from a container to the host machine and expand the foothold in the network.

Investigative actions

  • Change the container socket configuration.
  • Check if the default docker daemon binding to TCP changed - if it did, every non-root user might access the container.