Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. technique: T1609 ✕

Show ATT&CK heatmap
  • Command execution in a Kubernetes pod Informational 2 variations

    Container administration commands were executed within a Kubernetes pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Command execution in a Kubernetes pod for the first time

    Low overridden

    Container administration commands were executed within a Kubernetes pod. overridden

    Command execution in a Kubernetes pod in the kube-system namespace

    Informational overridden

    Container administration commands were executed within a Kubernetes pod. overridden

  • Remote code execution into Kubernetes Pod Informational 2 variations

    A container administration service was used to execute commands within a Kubernetes Pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Remote code execution into Kubernetes Pod from another Pod for the first time

    Medium overridden

    A container administration service was used to execute commands within a Kubernetes Pod. overridden

    Remote code execution into Kubernetes Pod from another Pod

    Low overridden

    A container administration service was used to execute commands within a Kubernetes Pod. overridden

  • Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Escape from a container to the host machine and expand the foothold in the network.
    Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.

    Variations

    Suspicious container runtime connection from within a Kubernetes Pod using the curl client

    Low overridden

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden

    Suspicious container runtime connection from within a Kubernetes Pod using the docker client

    Medium overridden

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden

  • Suspicious process execution in a privileged container Informational 1 variation

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.

    Variations

    Suspicious process execution in a new privileged container

    Informational overridden

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden

  • Unusual exec into a Kubernetes Pod Informational Cloud 5 variations

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Execute commands within the Kubernetes Pod. Access any resource the Kubernetes Pod has access to.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Failed exec attempt into a Kubernetes Pod

    Informational overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    First time execution into Kubernetes Pod at the cluster-level

    Medium overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into Kubernetes Pod for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into a Kubernetes namespace for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into a Kubernetes Pod for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden