« Kubernetes Pod Created with a Sensitive hostPath Volume Kubernetes Pod Exec Cloud Instance Metadata Access »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Kubernetes Pod Creation Using Common Debug or Base Images

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Kubernetes Pod Creation Using Common Debug or Base Images

edit

Detects successful Kubernetes pod creation requests using commonly abused base and debugging container images such as BusyBox, Alpine, Ubuntu, Netshoot, and network multitool variants. These images are frequently used by attackers to deploy short-lived or interactive "throwaway" containers for reconnaissance, payload staging, or command execution due to their small footprint or built-in tooling.

Rule type: new_terms

Rule indices:

  • logs-kubernetes.audit_logs-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Data Source: Kubernetes
  • Domain: Kubernetes
  • Use Case: Threat Detection
  • Tactic: Execution
  • Tactic: Defense Evasion
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.dataset:"kubernetes.audit_logs" and
kubernetes.audit.stage:"ResponseComplete" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
kubernetes.audit.objectRef.resource:"pods" and
kubernetes.audit.verb:"create" and
kubernetes.audit.requestObject.spec.containers.image:(alpine* or busybox* or ubuntu\:* or debian\:* or *netshoot\:* or *network-multitool\:* or *curl\:*)

Framework: MITRE ATT&CKTM

« Kubernetes Pod Created with a Sensitive hostPath Volume Kubernetes Pod Exec Cloud Instance Metadata Access »