heroui logo

GKE Container Created with Excessive Linux Capabilities

Elastic Detection Rules

View Source
Summary
Detects creation of GKE Pods in Google Kubernetes Engine where containers are granted elevated Linux capabilities via securityContext.add capabilities. The rule targets GCP audit logs (data_stream.dataset:gcp.audit) for event.action io.k8s.core.v1.pods.create and matches gcp.audit.request.spec.containers.securityContext.capabilities.add with high-risk capabilities (e.g., BPF, DAC_READ_SEARCH, NET_ADMIN, SYS_ADMIN, SYS_BOOT, SYS_MODULE, SYS_PTRACE, SYS_RAWIO, SYSLOG). It excludes resources under ReplicaSet, DaemonSet, or StatefulSet ownership. This pattern indicates potential container escape to the host or privilege escalation. MITRE ATT&CK mappings: T1611 (Escape to Host) and T1610 (Deploy Container). Severity: medium; risk_score: 47. The rule assumes a GKE audit log integration (Fleet) to function and is intended for cloud/Kubernetes/container contexts.
Categories
  • Cloud
  • Kubernetes
  • Containers
Data Sources
  • Cloud Service
  • Container
ATT&CK Techniques
  • T1611
  • T1610
Created: 2026-06-30