text code block:FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version | WHERE kubernetes.audit.objectRef.subresource == "exec" AND kubernetes.audit.requestURI LIKE "*command=*" | EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI) | GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}" | EVAL command = REPLACE(raw_commands, "command=", "") | EVAL command = REPLACE(command, "&", " ") | EVAL Esql.executed_command = REPLACE(command, "\\+", " ") | WHERE Esql.executed_command IS NOT NULL | WHERE Esql.executed_command IS NOT NULL AND command RLIKE """.*(/dev/tcp/|/dev/udp/|zsh/net/tcp|zsh/net/udp|nc\s+-e|ncat\s+-e|netcat\s+-e|nc\s.*\s-c\s|mkfifo|socat\s.*exec|socat\s.*pty|bash\s+-i\s+>&|0>&1|>&\s*/dev/tcp|import\s+socket.*connect|import\s+pty.*spawn|socket\.socket.*connect|IO::Socket::INET|fsockopen|TCPSocket\.new|/inet/tcp/).*""" AND // local service health check patterns NOT command RLIKE """.*/dev/tcp/(localhost|127\.0\.0\.1)/(8080|8443|9090|3000|5000|8888|80|443).*""" | KEEP *
Install detection rules in Elastic Security
Detect Kubernetes Pod Exec Potential Reverse Shell in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).