Kubernetes Pod Exec Potential Reverse Shell
editKubernetes Pod Exec Potential Reverse Shell
editFlags exec into a pod when the URL-decoded command payload resembles reverse-shell or bind-shell one-liners invocation patterns. Legitimate debug sessions sometimes use similar building blocks, but together these patterns align with post-exploitation interactive access and command-and-control.
Rule type: esql
Rule indices: None
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Kubernetes
- Domain: Kubernetes
- Use Case: Threat Detection
- Tactic: Execution
- Tactic: Command and Control
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Kubernetes Pod Exec Potential Reverse Shell
The rule inspects Kubernetes audit exec requestURI values, URL-decodes them, parses the command query fragment, and matches high-signal shell and socket idioms often used to obtain a allback shell from inside a container.
Possible investigation steps
- Identify the actor (kubernetes.audit.user.username, groups, impersonation), source IP, and user agent (human kubectl vs automation).
- Resolve the target namespace, pod, and container from kubernetes.audit.objectRef.* and correlate with workload ownership and change tickets.
- Pull the raw and decoded URI from the alert document and replay the inferred command in a sandbox only if policy allows—otherwise rely on audit and platform logs.
- Hunt nearby events from the same identity: secret reads, pods/exec to other workloads, RoleBinding changes, or anonymous API use.
False positive analysis
- Security training, CTF-style images, or vendor diagnostics may include bash redirection or /dev/tcp examples; baseline approved images and break-glass accounts.
- Some observability or mesh sidecars use socat or sockets in ways that could overlap; validate container image and command lineage.
Response and remediation
- If malicious, terminate the exec session, isolate the workload or node, rotate credentials reachable from the pod, and revoke pods/exec for the abused principal unless strictly required.
Rule query
editFROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
| WHERE kubernetes.audit.objectRef.subresource == "exec"
AND kubernetes.audit.requestURI LIKE "*command=*"
| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
| EVAL command = REPLACE(raw_commands, "command=", "")
| EVAL command = REPLACE(command, "&", " ")
| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
| WHERE Esql.executed_command IS NOT NULL
| WHERE Esql.executed_command IS NOT NULL AND command RLIKE """.*(/dev/tcp/|/dev/udp/|zsh/net/tcp|zsh/net/udp|nc\s+-e|ncat\s+-e|netcat\s+-e|nc\s.*\s-c\s|mkfifo|socat\s.*exec|socat\s.*pty|bash\s+-i\s+>&|0>&1|>&\s*/dev/tcp|import\s+socket.*connect|import\s+pty.*spawn|socket\.socket.*connect|IO::Socket::INET|fsockopen|TCPSocket\.new|/inet/tcp/).*""" AND
// local service health check patterns
NOT command RLIKE """.*/dev/tcp/(localhost|127\.0\.0\.1)/(8080|8443|9090|3000|5000|8888|80|443).*"""
| KEEP *
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Container Administration Command
- ID: T1609
- Reference URL: https://attack.mitre.org/techniques/T1609/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/