security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f55e9b05f044131f6c19f553f2e06fcc7486bf5
sigma-rules/rules/integrations/kubernetes/execution_user_exec_to_pod.toml
T
Isai 4f1b7fa448 Update execution_user_exec_to_pod.toml (#2092) 
I'm removing the event.dataset query portion of the rule because this field has been removed from the current mapping so this rule is not triggering with the most updated K8s Integrations.
2022-07-28 12:49:45 -04:00

64 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/05/17"
integration = "kubernetes"
maturity = "production"
min_stack_comments = "Necessary audit log fields not available prior to 8.2"
min_stack_version = "8.2"
updated_date = "2022/07/11"
[rule]
author = ["Elastic"]
description = """
This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec'
command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An
adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has
permissions to, including secrets.
"""
false_positives = [
"""
An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
connected to the terminal: kubectl exec -i -t cassandra -- sh
""",
]
index = ["logs-kubernetes.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes User Exec into Pod"
note = """## Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
references = [
"https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
"https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
]
risk_score = 47
rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
severity = "medium"
tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"]
timestamp_override = "event.ingested"
type = "query"
query = '''
kubernetes.audit.objectRef.resource:"pods"
and kubernetes.audit.objectRef.subresource:"exec"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink