Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. tactic: TA0002 ✕ technique: T1609 ✕
Show ATT&CK heatmapCommand execution in a Kubernetes pod Informational 2 variations
Container administration commands were executed within a Kubernetes pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Command execution in a Kubernetes pod for the first time
Low overridden
Container administration commands were executed within a Kubernetes pod. overridden
Command execution in a Kubernetes pod in the kube-system namespace
Informational overridden
Container administration commands were executed within a Kubernetes pod. overridden
Remote code execution into Kubernetes Pod Informational 2 variations
A container administration service was used to execute commands within a Kubernetes Pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Remote code execution into Kubernetes Pod from another Pod for the first time
Medium overridden
A container administration service was used to execute commands within a Kubernetes Pod. overridden
Remote code execution into Kubernetes Pod from another Pod
Low overridden
A container administration service was used to execute commands within a Kubernetes Pod. overridden
Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Escape from a container to the host machine and expand the foothold in the network.Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.Variations
Suspicious container runtime connection from within a Kubernetes Pod using the curl client
Low overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious container runtime connection from within a Kubernetes Pod using the docker client
Medium overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious process execution in a privileged container Informational 1 variation
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.Variations
Suspicious process execution in a new privileged container
Informational overridden
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden
Unusual exec into a Kubernetes Pod Informational Cloud 5 variations
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Execute commands within the Kubernetes Pod. Access any resource the Kubernetes Pod has access to.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Failed exec attempt into a Kubernetes Pod
Informational overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
First time execution into Kubernetes Pod at the cluster-level
Medium overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into Kubernetes Pod for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into a Kubernetes namespace for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into a Kubernetes Pod for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden