Create Pod (kubernetes)
| Platform | Author | Last Update |
|---|---|---|
| kubernetes | Leo Tsaousis | 2024-12-02 |
Deploy a malicious container.
For this test case, the example image for the rogue container is fetched from a public repository, however rogue containers may use existing images for alternative purposes.
MITRE IDs
Scope
This test case does not need Cluster-wide permissions
Required Permissions
- apiGroups: - '' namespaced: true resources: - pods verbs: - createRequired Parameters
| Name | Type | Description | Example Value |
|---|---|---|---|
| podname | str | Name of the pod to be created | leonidas-netutils-pod |
| imagename | str | Name of the image to be used | skybound/net-utils |
| command | str | Command to execute within the new pod | sleep 3600 |
Attacker Action
kubectl run leonidas-netutils-pod --image skybound/net-utils --command -- sleep 3600Detection Case
ELK query
When logs are ingested into ELK, the following query can be used to identify relevant events.
verb:create AND resource:podsSigma Definition
---title: Create podid: 3c23ed24-51d0-4e29-bfa7-4ad26eaa27cdstatus: experimentalauthor: Leo Tsaousisdate: 2024-12-02description: | Deploy a malicious container.
For this test case, the example image for the rogue container is fetched from a public repository, however rogue containers may use existing images for alternative purposes.logsource: product: kubernetes service: auditdetection: selection: verb: create
resource: pods
condition: selectionlevel: lowtags:- attack.T1204.003- attack.T1578.002references:- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20Container/