security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules/integrations/kubernetes
T
History
Samirbous e4746c3a83 [New] Suspicious Kubernetes Pod Exec (#5978) 
* [New] Kubernetes Pod Exec with Curl or Wget to HTTPS

Detects pod or attach `exec` API calls where the decoded request query implies curl or wget fetching an https URL (avoid noisy local http services).

* Create execution_kubernetes_pod_exec_potential_reverse_shell.toml

* Update execution_kubernetes_pod_exec_curl_wget_https.toml

* Update execution_kubernetes_pod_exec_potential_reverse_shell.toml

* ++

* ++

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_kubernetes_pod_exec_curl_wget_https.toml

* Update execution_kubernetes_pod_exec_potential_reverse_shell.toml

* Update credential_access_kubernetes_pod_exec_cloud_instance_metadata.toml

* Update credential_access_kubernetes_pod_exec_sensitive_file_access.toml

* Update execution_kubernetes_pod_exec_curl_wget_https.toml

* Update credential_access_kubernetes_pod_exec_sensitive_file_access.toml

* Update credential_access_kubernetes_pod_exec_cloud_instance_metadata.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2026-05-04 22:42:34 +01:00
..
credential_access_azure_arc_proxy_secret_configmap_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_get_secrets_access.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_kubernetes_multiple_secret_retrieval_burst.toml
[New] Kubernetes Rapid Secret GET Activity Against Multiple Objects (#5967)
2026-05-02 10:43:13 +01:00
credential_access_kubernetes_pod_exec_cloud_instance_metadata.toml
[New] Suspicious Kubernetes Pod Exec (#5978)
2026-05-04 22:42:34 +01:00
credential_access_kubernetes_pod_exec_sensitive_file_access.toml
[New] Suspicious Kubernetes Pod Exec (#5978)
2026-05-04 22:42:34 +01:00
credential_access_kubernetes_secret_access_scripting_http_clients.toml
[New] Kubernetes Secret get or list with Suspicious User Agent (#5974)
2026-05-02 16:14:17 +01:00
credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml
[New] Kubernetes Secret get or list from Node or Pod Service Account (#5973)
2026-05-02 11:48:24 +01:00
credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml
[New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces (#5966)
2026-05-02 10:55:30 +01:00
defense_evasion_events_deleted.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_denied_service_account_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_endpoint_permission_enumeration_by_anonymous_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_endpoint_permission_enumeration_by_user_and_srcip.toml
[Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808)
2026-03-05 14:13:30 +01:00
discovery_kubernetes_multi_resource_setup_recon.toml
[New] Kubernetes Multi-Resource Discovery (#5971)
2026-05-02 10:32:50 +01:00
discovery_suspicious_self_subject_review.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_anonymous_create_update_patch_pod_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_forbidden_creation_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_forbidden_request_from_unsual_user_agent.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_kubernetes_pod_exec_curl_wget_https.toml
[New] Suspicious Kubernetes Pod Exec (#5978)
2026-05-04 22:42:34 +01:00
execution_kubernetes_pod_exec_potential_reverse_shell.toml
[New] Suspicious Kubernetes Pod Exec (#5978)
2026-05-04 22:42:34 +01:00
execution_unusual_request_response_by_user_agent.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_user_exec_to_pod.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_anonymous_request_authorized.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_cluster_admin_rolebinding_created.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_exposed_service_created_with_type_nodeport.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_sensitive_role_creation_or_modification.toml
[New/Tuning] K8 RBAC Privs (#5987)
2026-05-02 15:08:00 +01:00
persistence_service_account_bound_to_clusterrole.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_container_created_with_excessive_linux_capabilities.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_hostipc.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_hostnetwork.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_hostpid.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_privileged_pod_created.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_role_patch_wildcard_verbs_resources_response.toml
[New/Tuning] K8 RBAC Privs (#5987)
2026-05-02 15:08:00 +01:00
privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_sensitive_workload_modification_by_user_agent.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_service_account_rbac_write_operation.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_suspicious_assignment_of_controller_service_account.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00