<  Back to rules search

User Exec into a Pod


Set up the kubernetes integration.



Detect when a user execs into a pod.


This rule monitors when a user execs (@objectRef.subresource:exec) into to a pod (@objectRef.resource:pods).

A user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running. It is most common to execute the bash process to gain an interactive shell. If this is an attacker, they can access any data which the pod has permissions to, including secrets.

Triage and response

  1. Determine if the user should be execing into a running container.