KQL Search

Query Details

HomeAI ToolsDevice Query

Pod Containerexec

Query

# Rule: Suspicious Pod or Container Creation with Shell Execution

## Description
This detection rule identifies suspicious creation of **containers or Kubernetes pods** that immediately execute an interactive shell (`bash`, `sh`, `zsh`, etc.) with command-line patterns commonly associated with **persistence**, **privilege escalation**, or **remote command execution**.

Adversaries frequently abuse legitimate container administration tools such as `kubectl`, `docker`, or `nerdctl` to deploy short-lived pods or containers that run a malicious one-liner shell command. These commands are often used to:
- establish persistence via `cron`, `at`, or startup scripts
- modify sensitive system files such as `sudoers`, `shadow`, or SSH keys
- stage payloads using `base64` or `xxd`
- create reverse shells using `/dev/tcp`, `nc`, `socat`, or `telnet`
- write artifacts into temporary or uncommon filesystem locations

Monitoring container creation followed by suspicious shell execution provides early visibility into post-exploitation activity in containerized and Kubernetes environments.

- **Elastic Detection Rule (same logic):**
  https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml

## Detection Logic
- Monitors Linux process execution telemetry for container or pod creation commands.
- Detects use of container administration tools (`kubectl`, `docker`, `nerdctl`, `ctl`) invoking `run`.
- Flags cases where a shell is executed with suspicious command-line indicators related to persistence, credential access, or network-based command execution.

## Tags
- Linux Security
- Containers
- Kubernetes
- Execution
- Persistence
- Privilege Escalation
- Suspicious Command Line
- Living-off-the-Land

## Search Query
```kql
let Shells = dynamic(["bash","dash","sh","tcsh","csh","zsh","ksh","fish"]);
let Launchers = dynamic(["kubectl","docker","nerdctl","ctl"]);
let Suspicious = dynamic([
  "atd","cron",
  "/etc/rc.local",
  "/dev/tcp/",
  "/etc/init.d",
  "/etc/update-motd.d",
  "/etc/ld.so",
  "/etc/sudoers",
  "base64 ",
  "/etc/profile",
  "/etc/ssh",
  "/.ssh/",
  "/root/.ssh",
  "~/.ssh/",
  "autostart",
  "xxd ",
  "/etc/shadow",
  "./.",
  "import pty","pty.spawn",
  "import subprocess","subprocess.call",
  "TCPSocket.new","TCPSocket.open",
  "io.popen","os.execute","fsockopen",
  "disown",
  " ncat "," nc "," netcat "," nc.traditional ",
  "socat","telnet",
  "/tmp/","/dev/shm/","/var/tmp/",
  "/boot/","/sys/","/lost+found/","/media/","/proc/",
  "/var/backups/","/var/log/","/var/mail","/var/spool"
]);

DeviceProcessEvents
| where FileName in~ (Launchers)
| where ProcessCommandLine has "run"
| where ProcessCommandLine has_any (Shells)
| where ProcessCommandLine has_any (Suspicious)
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FolderPath,
          ProcessId, InitiatingProcessId, ReportId
| order by Timestamp desc
```

Explanation

This query is designed to detect potentially malicious activities related to the creation of containers or Kubernetes pods that execute suspicious shell commands. Here's a simplified breakdown:

  1. Purpose: The query aims to identify when a container or pod is created and immediately runs a shell command that could indicate malicious behavior, such as persistence, privilege escalation, or remote command execution.

  2. Tools Monitored: It focuses on commands executed using common container management tools like kubectl, docker, nerdctl, and ctl.

  3. Shells and Commands: The query looks for the execution of various shell types (e.g., bash, sh, zsh) and checks if these shells are running commands that are considered suspicious. These suspicious commands include those related to:

    • Scheduling tasks (cron, at)
    • Modifying system files (sudoers, shadow)
    • Network activities (creating reverse shells)
    • Encoding/decoding payloads (base64, xxd)
    • Writing to unusual file locations

  4. Detection Logic:

    • It filters for processes where the command line includes the use of a container tool followed by a run command.
    • It then checks if any of the specified shells are executed with suspicious command patterns.

  5. Output: The query returns details such as the timestamp, device name, account name, file name, and command line of the process, among other details, to help identify and investigate the suspicious activity.

  6. Tags: The query is tagged with relevant security concepts like Linux Security, Containers, Kubernetes, Execution, Persistence, and Privilege Escalation, indicating its focus areas.

Overall, this query helps security teams monitor and detect early signs of potential exploitation in containerized environments by flagging suspicious shell executions following container or pod creation.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 14, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letdynamicin~hashas_anyprojectorder by

Actions