heroui logo

GKE Privileged Pod Created

Elastic Detection Rules

View Source
Summary
This rule detects successful GKE pod creation events in Google Cloud Platform (GCP) where any container in the pod has allowPrivilegeEscalation set to true. AllowPrivilegeEscalation permits a process to gain elevated privileges, potentially breaking container isolation and enabling a path to host access. The rule explicitly targets standalone Pods (excluding those owned by ReplicaSet, DaemonSet, or StatefulSet controllers) to catch ad-hoc or attacker-created workloads. It relies on GCP audit logs (logs-gcp.audit-*) and Kuery syntax to match: event.action io.k8s.core.v1.pods.create, event.outcome:success, gcp.audit.request.spec.containers.securityContext.allowPrivilegeEscalation:true, and not gcp.audit.request.metadata.ownerReferences.kind in (ReplicaSet, DaemonSet, StatefulSet). Triage should review the actor and source (user.email, source.ip, user_agent.original) and inspect the pod spec in gcp.audit.request, container images, and securityContext details; correlate with RBAC changes, secret access, or exec activity from the same identity. False positives include one-off admin debugging pods; baselining and excluding trusted namespaces or patterns can reduce noise. Setup requires GKE audit logging with the GCP Fleet integration. References to Google Kubernetes Engine audit logging and Kubernetes securityContext documentation. Risk score is 47 with a severity of medium. The detection maps to MITRE ATT&CK techniques T1611 (Escape to Host) under Privilege Escalation (TA0004) and T1610 (Deploy Container) under Execution (TA0002).
Categories
  • Cloud
  • Kubernetes
  • GCP
  • Containers
Data Sources
  • Pod
  • Container
ATT&CK Techniques
  • T1611
  • T1610
Created: 2026-06-30