From 3ddbfdfbb1979a526186f89d852f9acca70bb81b Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Mon, 4 May 2026 12:17:26 +0200
Subject: [PATCH] [New Rule] Kubernetes Pod Creation Using Common Debug or Base
 Images (#5890)

* [New Rule] Kubernetes Pod Creation Using Common Debug or Base Images

* Added new terms logic

* Convert to BBR.
---
 ...mmon_debug_or_base_image_pod_creation.toml | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 rules_building_block/execution_common_debug_or_base_image_pod_creation.toml

diff --git a/rules_building_block/execution_common_debug_or_base_image_pod_creation.toml b/rules_building_block/execution_common_debug_or_base_image_pod_creation.toml
new file mode 100644
index 000000000..c3a95dab1
--- /dev/null
+++ b/rules_building_block/execution_common_debug_or_base_image_pod_creation.toml
@@ -0,0 +1,80 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/05/04"
+integration = ["kubernetes"]
+maturity = "production"
+updated_date = "2026/05/04"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects successful Kubernetes pod creation requests using commonly abused base and debugging container
+images such as BusyBox, Alpine, Ubuntu, Netshoot, and network multitool variants. These images are
+frequently used by attackers to deploy short-lived or interactive "throwaway" containers for
+reconnaissance, payload staging, or command execution due to their small footprint or built-in tooling.
+"""
+index = ["logs-kubernetes.audit_logs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Pod Creation Using Common Debug or Base Images"
+risk_score = 21
+rule_id = "93120a05-caf5-47f6-a305-e8abee463fb9"
+severity = "low"
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Defense Evasion",
+    "Rule Type: BBR",
+    ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.dataset:"kubernetes.audit_logs" and
+kubernetes.audit.stage:"ResponseComplete" and
+kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.objectRef.resource:"pods" and
+kubernetes.audit.verb:"create" and
+kubernetes.audit.requestObject.spec.containers.image:(alpine* or busybox* or ubuntu\:* or debian\:* or *netshoot\:* or *network-multitool\:* or *curl\:*)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1610"
+name = "Deploy Container"
+reference = "https://attack.mitre.org/techniques/T1610/"
+
+[[rule.threat.technique]]
+id = "T1609"
+name = "Container Administration Command"
+reference = "https://attack.mitre.org/techniques/T1609/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat.technique]]
+id = "T1610"
+name = "Deploy Container"
+reference = "https://attack.mitre.org/techniques/T1610/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["source.ip", "user_agent.original", "user.name"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-5d"