Skip to content
Leonidas Documentation

Enumerate Pods (kubernetes)

PlatformAuthorLast Update
kubernetesLeo Tsaousis2024-12-02

Enumerate pods within the Leonidas namepsace

MITRE IDs

Scope

This test case does not need Cluster-wide permissions

Required Permissions

-   apiGroups:
    - ''
    namespaced: true
    resources:
    - pods
    verbs:
    - list

Required Parameters

None

Attacker Action

Terminal window
kubectl get pods

Detection Case

ELK query

When logs are ingested into ELK, the following query can be used to identify relevant events.

verb:list AND resource:pods

Sigma Definition

---
title: Enumerate pods
id: 18490e7b-f1f3-484a-806b-4cb16aa225ce
status: experimental
author: Leo Tsaousis
date: 2024-12-02
description: |
  Enumerate pods within the Leonidas namepsace
logsource:
  product: kubernetes
  service: audit
detection:
  selection:
    verb: list


    resource: pods


  condition: selection
level: low
tags:
- attack.T1580
- attack.T1613


falsepositives:
- Legitimate administrative activity. Investigate for similar activity from the same identity that could indicate enumeration attempts