Elastic Security Detection Rules

Kubernetes Pod Created With HostPID

Last updated 2 months ago on 2025-06-18
Created 3 years ago on 2022-07-05

About

This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.
Tags
Data Source: KubernetesTactic: ExecutionTactic: Privilege EscalationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Escape to Host (T1611)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

Deploy Container (T1610)(opens in a new tab or window)

False Positive Examples
An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field "kubernetes.audit.requestObject.spec.container.image"
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(opens in a new tab or window)

Query
event.dataset : "kubernetes.audit_logs"
  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
  and kubernetes.audit.objectRef.resource:"pods"
  and kubernetes.audit.verb:("create" or "update" or "patch")
  and kubernetes.audit.requestObject.spec.hostPID:true
  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")

Install detection rules in Elastic Security

Detect Kubernetes Pod Created With HostPID in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).