splApache-2.0from splunk/security_content
Cisco Isovalent - Shell Execution
The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/cisco_isovalent___shell_execution.yml
`cisco_isovalent_process_exec` process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell")
| stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___shell_execution_filter`