heroui logo

Kubernetes Container Created with Excessive Linux Capabilities

Elastic Detection Rules

View Source
Summary
This detection rule identifies the creation of Kubernetes containers that possess excessively permissive Linux capabilities, which can lead to privilege escalation, lateral movement, or even executable escalation within a cluster. Attackers leveraging the ability to add capabilities to a container might perform various malicious activities, including container escapes to the underlying host system. The rule detects specific Linux capabilities commonly associated with such attacks, including BPF, NET_ADMIN, and SYS_PTRACE, among others. It allows for exceptions for trusted container images that may legitimately require these capabilities. This is particularly crucial for organizations that deploy legitimate applications that depend on these capabilities. The rule is instantiated within the operational context of Kubernetes by monitoring audit logs to enforce security policies around container capabilities.
Categories
  • Kubernetes
  • Containers
Data Sources
  • Kernel
  • Container
ATT&CK Techniques
  • T1611
  • T1610
Created: 2022-09-20