Potential Remote Command Execution In Pod Container

Updated 2 months ago

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

MITRE ATT&CK® techniques

Container Administration Command (T1609)

Source control: SigmaHQ/sigma
Status: Synced
File path: rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml
Due date: October 29, 2025

Activity

created rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml
2 months ago

title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1609
    - attack.execution
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.subresource: 'exec'
    condition: selection
falsepositives:
    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium

Potential Remote Command Execution In Pod Container

Tags

MITRE ATT&CK® techniques

Activity

References

Potential Remote Command Execution In Pod Container

Product information

Tags

MITRE ATT&CK® techniques

Summary

Activity

Raw rule

References