Direct Interactive Kubernetes API Request by Unusual Utilities
This rule detects interactive commands executed inside containers using atypical utilities to interact with the Kubernetes API, paired with near-simultaneous API activity on sensitive resources, potentially indicating lateral movement and discovery by an attacker from within a container.
This detection rule, originating from Elastic's detection-rules repository and designed for use with Defend for Containers and Kubernetes audit logs, identifies potential malicious activity within Kubernetes environments. Specifically, it focuses on detecting interactive commands executed inside containers that utilize unusual utilities to interact with the Kubernetes API. The rule flags instances where these interactions are coupled with near-simultaneous API activity on sensitive resources like pods, secrets, and service accounts. The rule aims to detect adversaries who might be using custom scripts or binaries to evade standard tool allowlists. The rule was introduced in Elastic stack version 9.3.0.
Attack Chain
- An attacker gains initial access to a container within a Kubernetes pod, potentially through exploiting a vulnerability in the application running within the container.
- The attacker establishes an interactive shell session within the compromised container.
- Instead of using common tools like
kubectl,curl, orwget, the attacker leverages an unusual utility (e.g., a custom Python script,busyboxorncat) to interact with the Kubernetes API. - The attacker uses this utility to enumerate Kubernetes resources such as pods, services, secrets, and service accounts, attempting to discover sensitive information and potential lateral movement paths.
- The attacker queries the Kubernetes API to gather information about service account tokens or other credentials that could be used to authenticate to other services or pods.
- The attacker initiates a
pods/execorpods/attachrequest to gain access to another pod, using the compromised credentials, or forward ports to access services. - The attacker uses the newly accessed pod or service to further explore the Kubernetes environment, potentially escalating privileges or accessing sensitive data.
Impact
A successful attack could lead to the compromise of sensitive data stored in Kubernetes secrets and configmaps, the unauthorized access to other pods and services, and the potential for privilege escalation within the Kubernetes cluster. The rule aims to detect early stages of a potential breach, limiting the damage to a contained workload.
Recommendation
- Deploy the provided Sigma rules to your SIEM and tune for your environment to detect suspicious Kubernetes API activity.
- Investigate any alerts generated by the Sigma rule to determine if they are indicative of malicious activity or legitimate container activity.
- Enforce least-privilege RBAC, deny
pods/execandattachfor application service accounts, and setautomountServiceAccountToken: falseon workloads that don't need it. - Use network policies to restrict egress traffic from pods to the Kubernetes API server (kubernetes.default.svc:443) or other critical services.
Detection coverage 2
Interactive Shell Using Uncommon Utilities to Access Kubernetes API
mediumDetects interactive shell sessions in containers where uncommon utilities are used to interact with the Kubernetes API, potentially indicating malicious activity.
Kubernetes API Access via /dev/tcp
mediumDetects suspicious access to the Kubernetes API through /dev/tcp, indicating potential exploitation attempts or unusual network activity.
Detection queries are available on the platform. Get full rules →