Offensive Kubernetes tool executed

Classification:

attack

Tactic:

TA0007-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

A known Kubernetes attack tool has been executed.

Strategy

This rule identifies whenever a known tool used during Kubernetes penetration has been executed. These tools are often used to gather information about the Kubernetes environment to facilitate lateral movement and privilege escalation.

Triage and response

  1. Determine if the tool usage is authorized or part of an authorized penetration test.
  2. If the activity is not authorized, begin to look at activity surrounding the execution of the tool.
  3. Usage of many of these tools requires access to the Kubernetes API. Identify and revoke accounts used to execute the command.
  4. Begin the incident response process to find and revoke the initial access vector.

Requires Agent version 7.27 or greater