diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 447f3634c9b..d6f47d23bc1 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -56,5 +56,9 @@ }, "logs-windows.*": { "powershell.file.script_block_text": "text" + }, + "logs-kubernetes.*": { + "kubernetes.audit.objectRef.resource": "keyword", + "kubernetes.audit.objectRef.subresource": "keyword" } } diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml new file mode 100644 index 00000000000..00e3af368ce --- /dev/null +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2022/05/17" +integration = "kubernetes" +maturity = "production" +min_stack_comments = "Necessary audit log fields not available prior to 8.2" +min_stack_version = "8.2" +updated_date = "2022/06/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' +command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An +adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has +permissions to, including secrets. +""" +false_positives = [ + """ + An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from + Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands + inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... + ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec + cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell + connected to the terminal: kubectl exec -i -t cassandra -- sh + """, +] +index = ["logs-kubernetes.*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes User Exec into Pod" +note = """## Config + +The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/", +] +risk_score = 47 +rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce" +severity = "medium" +tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:"kubernetes.audit_logs" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.objectRef.subresource:"exec" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +