Vendor

Kubernetes

3 briefs RSS

Kubelet API Connection Attempt to Internal IP

The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.

kubelet +2 kubernetes lateral-movement linux container

2r 2t Jan 3, 2024

medium advisory

Unusual Process Connecting to Docker or Containerd Socket

2 rules 3 TTPs

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

Auditbeat +4 container privilege-escalation lateral-movement linux

2r 3t Jan 3, 2024

high advisory

Kubernetes Pod Exec Potential Reverse Shell Activity Detected

3 rules 2 TTPs

This rule flags potential reverse shell activity via kubectl exec commands in Kubernetes pods by detecting specific shell and socket idioms within URL-decoded command payloads in Kubernetes audit logs, indicating post-exploitation interactive access and command-and-control.

Kubernetes reverse_shell execution command_and_control

3r 2t Jan 3, 2024