Kubernetes

This rule detects Linux process executions that reference /etc/kubernetes/manifests in process arguments, which may indicate tampering with static pod manifests for persistence or privilege escalation in Kubernetes environments.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

Detection of non-system identities using the Kubernetes nodes/proxy API to proxy requests through the API server directly to a node's Kubelet, potentially leading to privilege escalation and sensitive information exposure.

Detects creation or approval of a Kubernetes CertificateSigningRequest (CSR) by a non-system identity, indicating an attacker attempting to obtain a long-lived client certificate for persistent cluster access with elevated privileges.

The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

This rule flags potential reverse shell activity via kubectl exec commands in Kubernetes pods by detecting specific shell and socket idioms within URL-decoded command payloads in Kubernetes audit logs, indicating post-exploitation interactive access and command-and-control.