{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/namespace/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kubernetes"],"_cs_severities":["high"],"_cs_tags":["kubernetes","pod","namespace","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["Kubernetes"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of Kubernetes pods being created in the default, kube-system, or kube-public namespaces. This activity is considered anomalous because these namespaces are typically reserved for system functions and explicitly defined applications. The detection leverages Kubernetes audit logs to identify pod creation events within these namespaces. The Splunk ES/CU analytic \u003ccode\u003eKubernetes Pod Created in Default Namespace\u003c/code\u003e released on 2026-04-15 flags this specific behavior. An attacker creating pods in these locations might be attempting to hide their presence, escalate privileges, establish persistent access, or execute further malicious activities within the Kubernetes cluster. This is particularly concerning as it may indicate a successful initial breach.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Kubernetes cluster, possibly through exploiting a vulnerability in a container image or a misconfigured service.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new pod within the default, kube-system, or kube-public namespace using \u003ccode\u003ekubectl\u003c/code\u003e or the Kubernetes API.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes API server receives the pod creation request.\u003c/li\u003e\n\u003cli\u003eKubernetes audit logging records the pod creation event, including the user, timestamp, source IP, and the specifications of the pod.\u003c/li\u003e\n\u003cli\u003eThe pod is successfully created and deployed within the targeted namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created pod to execute malicious commands, potentially escalating privileges or gaining access to sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised pod to move laterally within the cluster, targeting other resources and services.\u003c/li\u003e\n\u003cli\u003eThe final objective may include data exfiltration, deployment of persistent backdoors, or disruption of services within the Kubernetes environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full compromise of the Kubernetes cluster. Attackers could gain complete control over the cluster's resources and data. Depending on the cluster's role, this could result in data breaches, service disruptions, and significant financial losses. The compromise can also lead to persistent backdoors, enabling attackers to maintain long-term access to the environment. This analytic will help detect activity, but will not mitigate the initial compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Kubernetes audit logging and configure the audit policy to capture pod creation events to ensure the \u003ccode\u003eKubernetes Audit\u003c/code\u003e data source is available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect pod creation in restricted namespaces and tune the rule for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user, source IP, and the details of the created pod.\u003c/li\u003e\n\u003cli\u003eReview and harden RBAC policies to restrict pod creation in sensitive namespaces.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from pods created in these namespaces for suspicious outbound traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-pod-creation-default-namespace/","summary":"Detection of Kubernetes pod creation in default, kube-system, or kube-public namespaces using audit logs, potentially indicating attacker attempts to hide or evade defenses following a cluster breach.","title":"Kubernetes Pod Created in Default Namespace","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-pod-creation-default-namespace/"}],"language":"en","title":"CraftedSignal Threat Feed - Namespace","version":"https://jsonfeed.org/version/1.1"}