This note documents detection patterns related to Kubernetes Abuse, Malicious Pods, Service Exposure, Secret Theft, and Cluster Reconnaissance.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Pod spec | image: alpine, busybox, ubuntu | Generic attacker image | High | Common attacker staging image. |
| Pod spec | command: + /bin/sh | Interactive execution logic | Critical | Often indicates custom attacker pod. |
| Pod spec | curl https://10.x.x.x:8443 | API abuse | Critical | Strong cluster enumeration indicator. |
| Pod spec | /run/secrets/kubernetes.io/serviceaccount/token | Token theft | Critical | Credential access against cluster. |
| Pod spec | nc, wget, sleep 100000 | Beacon / persistence logic | Critical | Very common malicious pod tradecraft. |
| Pod metadata | Fake infra naming (metrics-server, coredns) | Camouflage | Critical | Trusted-name impersonation is common. |
| Service spec | type: NodePort | External exposure | Critical | High-value ingress path. |
| Service spec | nodePort: unusual values | Suspicious service exposure | High | Especially if nonstandard high ports. |
| Service spec | clusterIP: | Internal service target | High | Needed for API abuse reconstruction. |
| Deployment spec | secretRef, configMapRef | Secret/config linkage | Critical | Shows credential injection path. |
| Secrets | Base64 encoded credentials | Embedded secrets | Critical | Often plaintext after decode. |
| ConfigMaps | Flags / SSH configs / payload config | Operational attacker data | High | Often challenge answer source. |
| ServiceAccount | unexpected token usage | Privilege abuse | Critical | Indicates API-authenticated activity. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Generic image inside infra namespace | alpine inside kube-system | Critical | Strong anomaly. |
| Pod differs from deployment intent | Runtime mismatch | Critical | Suggests attacker injection. |
| Service exposes SSH internally | NodePort + ssh | High | Often persistence foothold. |
| Secret mounted into suspicious pod | Credential theft path | Critical | High-confidence hostile action. |
| Long sleep command | sleep 100000 | High | Keeps pod alive after execution. |
| Curl against API server | Cluster discovery | Critical | Common recon phase. |
| Netcat inside pod | Exfiltration / callback | Critical | Strong malicious indicator. |
| Trusted object name + wrong image | Name camouflage | Critical | Very realistic attacker pattern. |
| Secret decoded to password | Credential staging | Critical | Lateral movement potential. |
| Namespace mismatch | Suspicious object location | High | Attackers often abuse kube-system. |
Common Tools
| Tool | Usage |
|---|---|
kubectl get pods -A | Enumerate pods across namespaces. |
kubectl describe pod <pod> | Full pod inspection. |
kubectl get svc -A | Enumerate services. |
kubectl get secrets -A -o yaml | Secret review. |
kubectl get configmaps -A -o yaml | Config review. |
kubectl get deployments -A -o yaml | Intended workload review. |
yq | Offline YAML triage. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Pods | pods.yaml | Critical | Runtime truth. |
| Deployments | deployment.yaml | Critical | Intended state. |
| Services | service.yaml | Critical | Exposure mapping. |
| Secrets | secrets.yaml | Critical | Credential source. |
| ConfigMaps | configmaps.yaml | High | Operational configs / flags. |
| ServiceAccounts | serviceaccount.yaml | Critical | Identity mapping. |
| DaemonSets | daemonset.yaml | High | Persistence path. |
| Jobs | job.yaml | High | One-shot attacker execution. |
MITRE ATT&CK References
- T1610 Deploy Container
- T1552 Unsecured Credentials
- T1526 Cloud Service Discovery
- T1078 Valid Accounts
- T1046 Network Service Discovery
Decision Tree
-
What is externally exposed?
- Read
service.yaml - Identify
NodePort,ClusterIP
- Read
-
What object owns the service?
- Follow selectors → labels → pod/deployment
-
Are secrets linked?
- Check
secretRef,env, mounted volumes
- Check
-
Does runtime match expected infra?
- Compare deployment vs pod
-
Any suspicious image?
- Generic images in infra namespace = anomaly
-
Any API abuse?
- Search
curl, token reads, API endpoints
- Search
-
Confirm maliciousness
- Fake name + generic image + token + curl + sleep = strong attacker pod
Example Detection Templates
Grep
grep -R "image:\|command:\|curl\|nc \|sleep \|serviceaccount/token" *.yaml
grep -R "NodePort\|clusterIP\|secretRef\|configMapRef" *.yaml
yq
yq '.spec.containers[].image' pods.yaml
yq '.items[].spec.containers[].command' pods.yaml
Base64 Decode Secret
echo BASE64_VALUE | base64 -d
Sigma
title: Kubernetes Suspicious Pod Execution
id: kubernetes-suspicious-pod-execution
status: experimental
description: Detects suspicious pod definitions containing shell execution, generic images, or token theft patterns
logsource:
product: kubernetes
detection:
selection_keywords:
message|contains:
- 'image: alpine'
- '/run/secrets/kubernetes.io/serviceaccount/token'
- 'curl https://'
- 'sleep 100000'
condition: selection_keywords
fields:
- pod
- namespace
falsepositives:
- Legitimate troubleshooting containers
level: high
tags:
- attack.t1610
- attack.t1552
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| RBAC | Restrict service account privileges | Critical | Limits token abuse. |
| Admission policy | Block generic images | High | Stops simple attacker pods. |
| Namespace control | Lock down kube-system | Critical | Prevents infra impersonation. |
| Secret policy | Minimize mounted secrets | Critical | Reduces credential exposure. |
| Audit logging | Enable Kubernetes audit logs | Critical | Best attribution source. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Any suspicious image? | search image: | Fast anomaly detection. |
| Any fake infra name? | inspect pod names | Camouflage clue. |
| Any API calls? | search curl | Discovery / theft evidence. |
| Any token access? | search serviceaccount path | Credential abuse. |
| Any external exposure? | inspect NodePort | Ingress path. |
| Any secrets decoded? | inspect secrets.yaml | Credential extraction. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
image: | Runtime anomaly source. |
NodePort | External access. |
clusterIP | Internal target mapping. |
serviceaccount/token | Credential theft. |
curl https:// | API recon. |
nc | Exfiltration / callback. |
sleep | Persistence keepalive. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Generic image in infra namespace | Strong malicious anomaly. |
| Fake metrics-server pod | Trusted-name camouflage. |
| Token + curl to API | Credentialed cluster recon. |
| Secret decoded to plaintext password | Operational credential exposure. |
| NodePort exposing SSH | Remote foothold likely. |
| Deployment clean, pod dirty | Runtime compromise possible. |