Offensive Kubernetes tool executed

Classification:

attack

Tactic:

TA0007-discovery

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

A known Kubernetes attack tool has been executed.

Strategy

This rule identifies whenever a known tool used during Kubernetes penetration has been executed. These tools are often used to gather information about the Kubernetes environment to facilitate lateral movement and privilege escalation.

Triage and response

  1. Determine if the tool usage is authorized or part of an authorized penetration test.
  2. If the activity is not authorized, begin to look at activity surrounding the execution of the tool.
  3. Usage of many of these tools requires access to the Kubernetes API. Identify and revoke accounts used to execute the command.
  4. Begin the incident response process to find and revoke the initial access vector.

Requires Agent version 7.27 or greater