Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
Kubernetes - AGENT, Containers |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.
This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.
Attacker's Goals
Escape from a container to the host machine and expand the foothold in the network.
Investigative actions
- Change the container socket configuration.
- Check if the default docker daemon binding to TCP changed - if it did, every non-root user might access the container.
Variations
Suspicious container runtime connection from within a Kubernetes Pod using the curl clientSuspicious container runtime connection from within a Kubernetes Pod using the docker client