heroui logo

Creation Of Pod In System Namespace

Sigma Rules

View Source
Summary
This detection rule identifies the creation of pods in the kube-system namespace within Kubernetes, a critical area of the cluster that typically contains system-managed pods. Attackers may attempt to deploy malicious pods that mimic the naming conventions of legitimate system pods to avoid detection. System pods often have random suffixes added to their names by controllers like Deployments or DaemonSets. If a pod is created with a name resembling these system pods, such as 'kube-proxy-bv61v', this could indicate an attempted backdoor access. By monitoring the auditing logs for any pod creation events in the kube-system namespace, this rule aims to catch unauthorized deployments that repurpose the recognizable naming patterns of system pods. Such activity may signify adversarial tactics aimed at compromising system integrity or escaping detection.
Categories
  • Kubernetes
  • Cloud
Data Sources
  • Pod
  • Container
  • Application Log
Created: 2024-03-26