Elastic Security Detection Rules

Kubernetes Container Created with Excessive Linux Capabilities

Last updated 6 months ago on 2025-06-18
Created 3 years ago on 2022-09-20

About

This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.
Tags
Data Source: KubernetesTactic: ExecutionTactic: Privilege EscalationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Escape to Host (T1611)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Deploy Container (T1610)(external, opens in a new tab or window)

False Positive Examples
Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
event.dataset: kubernetes.audit_logs
  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
  and kubernetes.audit.verb: create
  and kubernetes.audit.objectRef.resource: pods
  and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH"  or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO"  or "SYSLOG")
  and not kubernetes.audit.requestObject.spec.containers.image : ("docker.elastic.co/beats/elastic-agent:8.4.0" or "rancher/klipper-lb:v0.3.5" or "")

Install detection rules in Elastic Security

Detect Kubernetes Container Created with Excessive Linux Capabilities in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).