<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Namespace - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/namespace/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/namespace/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Pod Created in Default Namespace</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-pod-creation-default-namespace/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-pod-creation-default-namespace/</guid><description>Detection of Kubernetes pod creation in default, kube-system, or kube-public namespaces using audit logs, potentially indicating attacker attempts to hide or evade defenses following a cluster breach.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of Kubernetes pods being created in the default, kube-system, or kube-public namespaces. This activity is considered anomalous because these namespaces are typically reserved for system functions and explicitly defined applications. The detection leverages Kubernetes audit logs to identify pod creation events within these namespaces. The Splunk ES/CU analytic <code>Kubernetes Pod Created in Default Namespace</code> released on 2026-04-15 flags this specific behavior. An attacker creating pods in these locations might be attempting to hide their presence, escalate privileges, establish persistent access, or execute further malicious activities within the Kubernetes cluster. This is particularly concerning as it may indicate a successful initial breach.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Kubernetes cluster, possibly through exploiting a vulnerability in a container image or a misconfigured service.</li>
<li>The attacker attempts to create a new pod within the default, kube-system, or kube-public namespace using <code>kubectl</code> or the Kubernetes API.</li>
<li>The Kubernetes API server receives the pod creation request.</li>
<li>Kubernetes audit logging records the pod creation event, including the user, timestamp, source IP, and the specifications of the pod.</li>
<li>The pod is successfully created and deployed within the targeted namespace.</li>
<li>The attacker leverages the newly created pod to execute malicious commands, potentially escalating privileges or gaining access to sensitive data.</li>
<li>The attacker uses the compromised pod to move laterally within the cluster, targeting other resources and services.</li>
<li>The final objective may include data exfiltration, deployment of persistent backdoors, or disruption of services within the Kubernetes environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to a full compromise of the Kubernetes cluster. Attackers could gain complete control over the cluster's resources and data. Depending on the cluster's role, this could result in data breaches, service disruptions, and significant financial losses. The compromise can also lead to persistent backdoors, enabling attackers to maintain long-term access to the environment. This analytic will help detect activity, but will not mitigate the initial compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Kubernetes audit logging and configure the audit policy to capture pod creation events to ensure the <code>Kubernetes Audit</code> data source is available.</li>
<li>Deploy the Sigma rule provided below to detect pod creation in restricted namespaces and tune the rule for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user, source IP, and the details of the created pod.</li>
<li>Review and harden RBAC policies to restrict pod creation in sensitive namespaces.</li>
<li>Monitor network connections originating from pods created in these namespaces for suspicious outbound traffic.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kubernetes</category><category>pod</category><category>namespace</category><category>privilege_escalation</category></item></channel></rss>