security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8c19e9ff6c0f29bfd0930c4d511eaf93127effef
sigma-rules/rules/integrations/kubernetes/execution_user_exec_to_pod.toml
T
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
2022-08-24 10:38:49 -06:00

64 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/05/17"
integration = "kubernetes"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"
[rule]
author = ["Elastic"]
description = """
This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec'
command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An
adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has
permissions to, including secrets.
"""
false_positives = [
"""
An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
connected to the terminal: kubectl exec -i -t cassandra -- sh
""",
]
index = ["logs-kubernetes.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes User Exec into Pod"
note = """## Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
references = [
"https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
"https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
]
risk_score = 47
rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
severity = "medium"
tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"]
timestamp_override = "event.ingested"
type = "query"
query = '''
kubernetes.audit.objectRef.resource:"pods"
and kubernetes.audit.objectRef.subresource:"exec"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink