title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1609
    - attack.execution
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.subresource: 'exec'
    condition: selection
falsepositives:
    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium

title: GCP Break-glass Container Workload Deployed
id: 76737c19-66ee-4c07-b65a-a03301d1573d
status: test
description: |
    Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
references:
    - https://cloud.google.com/binary-authorization
author: Bryan Lim
date: 2024-01-12
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        data.protoPayload.resource.type: 'k8s_cluster'
        data.protoPayload.logName:
            - 'cloudaudit.googleapis.com/activity'
            - 'cloudaudit.googleapis.com%2Factivity'
        data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
    keywords:
        - 'image-policy.k8s.io/break-glass'
    condition: selection and keywords
falsepositives:
    - Unknown
level: medium

title: Privileged Container Deployed
id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
status: test
description: |
    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
    Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
    - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
    - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1611
    - attack.privilege-escalation
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
falsepositives:
    - Unknown
level: low

title: Container With A hostPath Mount Created
id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
status: test
description: |
    Detects creation of a container with a hostPath mount.
    A hostPath volume mounts a directory or a file from the node to the container.
    Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
    - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1611
    - attack.privilege-escalation
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
falsepositives:
    - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
level: low

title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
    condition: selection
falsepositives:
    - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
    category: process_creation
    product: linux
detection:
    selection_ls_img:
        Image|endswith: '/ls'    # inode outside containers low, inside high
    selection_ls_cli:
        - CommandLine|endswith: ' /'
        - CommandLine|contains: ' / '
    selection_regex_inode:
        CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)'      # -i finds inode number
    selection_regex_dir:
        CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)'  # -d gets directory itself, not contents
    condition: all of selection_*
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low

title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            # Note: add additional tools and utilities to increase coverage
            - '/cat'
            - '/dir'
            - '/find'
            - '/ls'
            - '/stat'
            - '/test'
            - 'grep'
        CommandLine|endswith: '.dockerenv'
    condition: selection
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low

title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
    category: process_creation
    product: linux
detection:
    selection_tools:
        Image|endswith:
            - 'awk'
            - '/cat'
            - 'grep'
            - '/head'
            - '/less'
            - '/more'
            - '/nl'
            - '/tail'
    selection_procfs_kthreadd:  # outside containers, PID 2 == kthreadd
        CommandLine|contains: '/proc/2/'
    selection_procfs_target:
        CommandLine|contains: '/proc/'
        CommandLine|endswith:
            - '/cgroup'  # cgroups end in ':/' outside containers
            - '/sched'   # PID mismatch when run in containers
    condition: selection_tools and 1 of selection_procfs_*
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low