Goal

A known Kubernetes attack tool has been executed.

Strategy

This rule identifies whenever a known tool used during Kubernetes penetration has been executed. These tools are often used to gather information about the Kubernetes environment to facilitate lateral movement and privilege escalation.

Triage and response

1. Determine if the tool usage is authorized or part of an authorized penetration test.
2. If the activity is not authorized, begin to look at activity surrounding the execution of the tool.
3. Usage of many of these tools requires access to the Kubernetes API. Identify and revoke accounts used to execute the command.
4. Begin the incident response process to find and revoke the initial access vector.

Requires Agent version 7.27 or greater