Skip to content

Create Pod (kubernetes)

PlatformAuthorLast Update
kubernetesLeo Tsaousis2024-12-02

Deploy a malicious container.

For this test case, the example image for the rogue container is fetched from a public repository, however rogue containers may use existing images for alternative purposes.

MITRE IDs

Scope

This test case does not need Cluster-wide permissions

Required Permissions

- apiGroups:
- ''
namespaced: true
resources:
- pods
verbs:
- create

Required Parameters

NameTypeDescriptionExample Value
podnamestrName of the pod to be createdleonidas-netutils-pod
imagenamestrName of the image to be usedskybound/net-utils
commandstrCommand to execute within the new podsleep 3600

Attacker Action

Terminal window
kubectl run leonidas-netutils-pod --image skybound/net-utils --command -- sleep 3600

Detection Case

ELK query

When logs are ingested into ELK, the following query can be used to identify relevant events.

verb:create AND resource:pods

Sigma Definition

---
title: Create pod
id: 3c23ed24-51d0-4e29-bfa7-4ad26eaa27cd
status: experimental
author: Leo Tsaousis
date: 2024-12-02
description: |
Deploy a malicious container.
For this test case, the example image for the rogue container is fetched from a public repository, however rogue containers may use existing images for alternative purposes.
logsource:
product: kubernetes
service: audit
detection:
selection:
verb: create
resource: pods
condition: selection
level: low
tags:
- attack.T1204.003
- attack.T1578.002
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/New%20Container/