Rule: Suspicious Pod or Container Creation with Shell Execution
Pod Containerexec
Query
let Shells = dynamic(["bash","dash","sh","tcsh","csh","zsh","ksh","fish"]);
let Launchers = dynamic(["kubectl","docker","nerdctl","ctl"]);
let Suspicious = dynamic([
"atd","cron",
"/etc/rc.local",
"/dev/tcp/",
"/etc/init.d",
"/etc/update-motd.d",
"/etc/ld.so",
"/etc/sudoers",
"base64 ",
"/etc/profile",
"/etc/ssh",
"/.ssh/",
"/root/.ssh",
"~/.ssh/",
"autostart",
"xxd ",
"/etc/shadow",
"./.",
"import pty","pty.spawn",
"import subprocess","subprocess.call",
"TCPSocket.new","TCPSocket.open",
"io.popen","os.execute","fsockopen",
"disown",
" ncat "," nc "," netcat "," nc.traditional ",
"socat","telnet",
"/tmp/","/dev/shm/","/var/tmp/",
"/boot/","/sys/","/lost+found/","/media/","/proc/",
"/var/backups/","/var/log/","/var/mail","/var/spool"
]);
DeviceProcessEvents
| where FileName in~ (Launchers)
| where ProcessCommandLine has "run"
| where ProcessCommandLine has_any (Shells)
| where ProcessCommandLine has_any (Suspicious)
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, FolderPath,
ProcessId, InitiatingProcessId, ReportId
| order by Timestamp descAbout this query
Explanation
This query is designed to detect potentially malicious activities related to the creation of containers or Kubernetes pods that execute suspicious shell commands. Here's a simplified breakdown:
-
Purpose: The query aims to identify when a container or pod is created and immediately runs a shell command that could indicate malicious behavior, such as persistence, privilege escalation, or remote command execution.
-
Tools Monitored: It focuses on commands executed using common container management tools like
kubectl,docker,nerdctl, andctl. -
Shells and Commands: The query looks for the execution of various shell types (e.g.,
bash,sh,zsh) and checks if these shells are running commands that are considered suspicious. These suspicious commands include those related to:- Scheduling tasks (
cron,at) - Modifying system files (
sudoers,shadow) - Network activities (creating reverse shells)
- Encoding/decoding payloads (
base64,xxd) - Writing to unusual file locations
- Scheduling tasks (
-
Detection Logic:
- It filters for processes where the command line includes the use of a container tool followed by a
runcommand. - It then checks if any of the specified shells are executed with suspicious command patterns.
- It filters for processes where the command line includes the use of a container tool followed by a
-
Output: The query returns details such as the timestamp, device name, account name, file name, and command line of the process, among other details, to help identify and investigate the suspicious activity.
-
Tags: The query is tagged with relevant security concepts like Linux Security, Containers, Kubernetes, Execution, Persistence, and Privilege Escalation, indicating its focus areas.
Overall, this query helps security teams monitor and detect early signs of potential exploitation in containerized environments by flagging suspicious shell executions following container or pod creation.
Details

Ali Hussein
Released: December 14, 2025
Tables
Keywords
Operators