Skip to content
Leonidas Documentation

Sidecar Injection (kubernetes)

PlatformAuthorLast Update
kubernetesLeo Tsaousis2024-12-02

Inject a sidecar container into a running deployment

A sidecar container is an additional container that resides alongside the main container within the pod. Containers can be added to running resources like Deployments/DeamonSets/StatefulSets by means of “kubectl patch”. By injecting a new container within a legitimate pod attackers can run their code and hide their activity, instead of running their own separated pod in the cluster.

MITRE IDs

Scope

This test case does not need Cluster-wide permissions

Required Permissions

-   apiGroups:
    - apps
    namespaced: true
    resources:
    - deployments
    verbs:
    - get
    - patch

Required Parameters

NameTypeDescriptionExample Value
deploymentstrName of the deployment to patchpatchable-deployment

Attacker Action

Terminal window
kubectl patch deployment patchable-deployment --patch-file /tmp/custom.yml

Detection Case

ELK query

When logs are ingested into ELK, the following query can be used to identify relevant events.

verb:patch AND apiGroup:apps AND resource:deployments

Sigma Definition

---
title: Sidecar Injection
id: ad9012a6-e518-4432-9890-f3b82b8fc71f
status: experimental
author: Leo Tsaousis
date: 2024-12-02
description: |
  Inject a sidecar container into a running deployment


  A sidecar container is an additional container that resides alongside the main container within the pod. Containers can be added to running resources like Deployments/DeamonSets/StatefulSets by means of "kubectl patch". By injecting a new container within a legitimate pod attackers can run their code and hide their activity, instead of running their own separated pod in the cluster.
logsource:
  product: kubernetes
  service: audit
detection:
  selection:
    verb: patch
    apiGroup: apps
    resource: deployments


  condition: selection
level: low
tags:
- attack.T609
references:
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/