Skip to content

[New Rule] Kubernetes execution_user_exec_to_pod #1979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Jun 9, 2022
Merged

[New Rule] Kubernetes execution_user_exec_to_pod #1979

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
25ba979
Create execution_user_exec_to_pod.toml
imays11 May 17, 2022
7e283e6
Update execution_user_exec_to_pod.toml
imays11 May 17, 2022
2d13fad
Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
w0rk3r May 17, 2022
b44f6a8
Update non-ecs-schema.json
w0rk3r May 17, 2022
a375e6b
Update execution_user_exec_to_pod.toml
w0rk3r May 17, 2022
8b6a6f8
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
terrancedejesus May 18, 2022
f88dcfe
Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
imays11 May 18, 2022
65c1c2c
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
terrancedejesus May 20, 2022
7c5d067
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
terrancedejesus May 20, 2022
8f83c26
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
terrancedejesus May 23, 2022
cb8f7b4
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
DefSecSentinel May 23, 2022
ab0c75a
Update execution_user_exec_to_pod.toml
imays11 May 25, 2022
677eedc
Update execution_user_exec_to_pod.toml
imays11 May 25, 2022
dab6040
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
DefSecSentinel May 25, 2022
0688997
Update execution_user_exec_to_pod.toml
imays11 Jun 3, 2022
767d859
toml-linted file and add to false positive
imays11 Jun 3, 2022
8d65b00
Create notepad.sct
imays11 Jun 3, 2022
c7a2c2e
Merge branch 'main' into 1978-new-rule-kubernetes-exec-into-podcontainer
DefSecSentinel Jun 9, 2022
59a94f6
added min_stack_version based on integration
imays11 Jun 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions detection_rules/etc/non-ecs-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,5 +56,9 @@
},
"logs-windows.*": {
"powershell.file.script_block_text": "text"
},
"logs-kubernetes.*": {
"kubernetes.audit.objectRef.resource": "keyword",
"kubernetes.audit.objectRef.subresource": "keyword"
}
}
49 changes: 49 additions & 0 deletions rules/integrations/kubernetes/execution_user_exec_to_pod.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
[metadata]
creation_date = "2022/05/17"
maturity = "production"
updated_date = "2022/05/17"
integration = "kubernetes"

[rule]
author = ["Elastic"]
description = """
This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.
"""
false_positives = [
"""
An administrator may need to exec into a pod for a legitimate reason.
""",
]
index = ["filebeat-*", "logs-kubernetes.*"]
language = "kuery"
license = "Elastic License v2"
name = "User Exec into Pod"
note = """## Config

The Kubernetes Fleet integration with Audit Logs enabled, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
"https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"]
risk_score = 47
rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
severity = "medium"
tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset : "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource : "pods" and kubernetes.audit.objectRef.subresource :"exec"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"