Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - API |
ATT&CK Tactic |
Execution (TA0002) |
ATT&CK Technique |
Container Administration Command (T1609) |
Severity |
Informational |
Description
An identity initiated a shell session within a Kubernetes pod using the exec command.
The command allows an identity to establish a temporary shell session and execute commands in the pod.
This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
Attacker's Goals
- Execute commands within the Kubernetes Pod.
- Access any resource the Kubernetes Pod has access to.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Variations
First time execution into Kubernetes Pod at the cluster-level
Synopsis
Description
An identity initiated a shell session within a Kubernetes pod using the exec command.
The command allows an identity to establish a temporary shell session and execute commands in the pod.
This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
Attacker's Goals
- Execute commands within the Kubernetes Pod.
- Access any resource the Kubernetes Pod has access to.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Identity executed into Kubernetes Pod for the first time
Synopsis
Description
An identity initiated a shell session within a Kubernetes pod using the exec command.
The command allows an identity to establish a temporary shell session and execute commands in the pod.
This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
Attacker's Goals
- Execute commands within the Kubernetes Pod.
- Access any resource the Kubernetes Pod has access to.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Identity executed into a Kubernetes namespace for the first time
Synopsis
Description
An identity initiated a shell session within a Kubernetes pod using the exec command.
The command allows an identity to establish a temporary shell session and execute commands in the pod.
This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
Attacker's Goals
- Execute commands within the Kubernetes Pod.
- Access any resource the Kubernetes Pod has access to.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.
Identity executed into a Kubernetes Pod for the first time
Synopsis
Description
An identity initiated a shell session within a Kubernetes pod using the exec command.
The command allows an identity to establish a temporary shell session and execute commands in the pod.
This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
Attacker's Goals
- Execute commands within the Kubernetes Pod.
- Access any resource the Kubernetes Pod has access to.
Investigative actions
- Check the identity's role designation in the organization.
- Inspect for any additional suspicious activities inside the Kubernetes Pod.