Kubernetes Ephemeral Container Added to Pod for Privilege Escalation

This detection rule identifies potentially malicious use of ephemeral containers in Kubernetes environments. Ephemeral containers are designed for debugging running pods, but attackers can leverage them with sufficient RBAC permissions to inject malicious tools, access sensitive data like mounted secrets, and execute commands within the pod’s context. This can lead to privilege escalation, lateral movement to other resources, or the establishment of persistent backdoors without deploying new workloads. The rule focuses on detecting updates to the pods/ephemeralcontainers subresource performed by non-system identities, indicating potential abuse.

Attack Chain

1. An attacker gains initial access to a Kubernetes cluster with sufficient RBAC privileges to update or patch pods.
2. The attacker identifies a target pod to compromise.
3. The attacker crafts a request to add an ephemeral container to the target pod using kubectl debug or similar tooling.
4. The ephemeral container specification includes a malicious image, command, and potentially a privileged security context.
5. The attacker executes the update or patch operation on the pods/ephemeralcontainers subresource via the Kubernetes API.
6. The Kubernetes API authorizes the request, and the ephemeral container is added to the target pod.
7. The attacker interacts with the injected container to execute commands, access mounted secrets, or perform other malicious activities within the pod’s context.
8. The attacker leverages the compromised pod to escalate privileges, move laterally to other resources, or establish persistence.

Impact

Successful exploitation can lead to a compromised Kubernetes cluster, allowing attackers to gain unauthorized access to sensitive data, escalate privileges to cluster administrator, move laterally to other workloads, and establish persistent backdoors. This can result in data breaches, service disruption, and significant reputational damage. The number of affected pods and resources depends on the attacker’s objectives and the scope of their RBAC privileges.

Recommendation

• Deploy the Sigma rule Detect Kubernetes Ephemeral Container Creation by Non-System User to your SIEM to identify unauthorized usage of ephemeral containers.
• Review and harden RBAC policies to restrict access to the pods/ephemeralcontainers subresource, as highlighted in the rule description.
• Monitor Kubernetes audit logs for suspicious pod modifications, particularly those involving ephemeral containers, as detailed in the rule’s index field.
• Tune exclusions for known automation and approved admin identities to reduce false positives, as mentioned in the rule’s false_positives section.