Offensive Kubernetes tool executed

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

A known Kubernetes attack tool has been executed.

Strategy

This rule identifies whenever a known tool used during Kubernetes penetration has been executed. These tools are often used to gather information about the Kubernetes environment to facilitate lateral movement and privilege escalation.

Triage and response

  1. Determine if the tool usage is authorized or part of an authorized penetration test.
  2. If the activity is not authorized, begin to look at activity surrounding the execution of the tool.
  3. Usage of many of these tools requires access to the Kubernetes API. Identify and revoke accounts used to execute the command.
  4. Begin the incident response process to find and revoke the initial access vector.

Requires Agent version 7.27 or greater