heroui logo

GKE Pod Created With HostPID

Elastic Detection Rules

View Source
Summary
This rule detects GKE pod lifecycle events that enable host PID namespace sharing, which can expose host processes and facilitate privilege escalation (e.g., via ptrace or privileged containers). It triggers on GCP audit logs for Kubernetes pod create, update, or patch actions where the pod spec sets hostPID to true, while excluding system identities and controller-owned workloads. Specifically, it looks for data_stream.dataset:gcp.audit with event.action: (io.k8s.core.v1.pods.create, io.k8s.core.v1.pods.update, io.k8s.core.v1.pods.patch) and gcp.audit.request.spec.hostPID:true, and excludes user.email:system:* and ownerReferences.kind in (ReplicaSet, DaemonSet, StatefulSet). The rule maps to MITRE ATT&CK techniques Escape to Host (T1611) under Privilege Escalation and Deploy Container (T1610) under Execution. For triage, investigate the actor identity, target pod, and images, and correlate with potential exec, secret access, or RBAC changes by the same identity. False positives include break-glass/admin workflows; baselining by user or namespace can reduce noise. Setup notes indicate the GCP Fleet integration with GKE audit logs is required for compatibility.
Categories
  • Cloud
  • Kubernetes
Data Sources
  • Pod
ATT&CK Techniques
  • T1611
  • T1610
Created: 2026-06-30