Kubernetes Static Pod Manifest File Access

About

Tags

Data Source: Auditd ManagerData Source: Elastic DefendDomain: EndpointDomain: KubernetesDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: Privilege EscalationLanguage: kuery

Severity

medium

Risk Score

47

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Create or Modify System Process (T1543)(external, opens in a new tab or window)

False Positive Examples

Cluster provisioning (kubeadm), configuration management, or administrators editing manifests during maintenance may match. Baseline approved automation and interactive admin sessions on control plane nodes.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*logs-auditd_manager.auditd-*logs-endpoint.events.process*

Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗host.os.type:linux and event.category:process and event.action:(exec or executed) and 
process.name:(
  bash or sh or dash or zsh or 
  cat or cp or mv or touch or tee or dd or
  sed or awk or 
  curl or wget or scp or
  vi or vim or nano or echo or
  busybox or
  python* or perl* or ruby* or node or lua* or
  openssl or base64 or xxd or
  .*) and 
  process.args:(*/etc/kubernetes/manifests/* and not (/etc/kubernetes/manifests/etcd* or /etc/kubernetes/manifests/kube-apiserver* or /etc/kubernetes/manifests/kube-scheduler* or /etc/kubernetes/manifests/kube-controller-manager*))