Query Details

Rule: Suspicious Pod or Container Creation with Shell Execution

Pod Containerexec

Query

let Shells = dynamic(["bash","dash","sh","tcsh","csh","zsh","ksh","fish"]);
let Launchers = dynamic(["kubectl","docker","nerdctl","ctl"]);
let Suspicious = dynamic([
  "atd","cron",
  "/etc/rc.local",
  "/dev/tcp/",
  "/etc/init.d",
  "/etc/update-motd.d",
  "/etc/ld.so",
  "/etc/sudoers",
  "base64 ",
  "/etc/profile",
  "/etc/ssh",
  "/.ssh/",
  "/root/.ssh",
  "~/.ssh/",
  "autostart",
  "xxd ",
  "/etc/shadow",
  "./.",
  "import pty","pty.spawn",
  "import subprocess","subprocess.call",
  "TCPSocket.new","TCPSocket.open",
  "io.popen","os.execute","fsockopen",
  "disown",
  " ncat "," nc "," netcat "," nc.traditional ",
  "socat","telnet",
  "/tmp/","/dev/shm/","/var/tmp/",
  "/boot/","/sys/","/lost+found/","/media/","/proc/",
  "/var/backups/","/var/log/","/var/mail","/var/spool"
]);

DeviceProcessEvents
| where FileName in~ (Launchers)
| where ProcessCommandLine has "run"
| where ProcessCommandLine has_any (Shells)
| where ProcessCommandLine has_any (Suspicious)
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FolderPath,
          ProcessId, InitiatingProcessId, ReportId
| order by Timestamp desc

About this query

Explanation

This query is designed to detect potentially malicious activities related to the creation of containers or Kubernetes pods that execute suspicious shell commands. Here's a simplified breakdown:

  1. Purpose: The query aims to identify when a container or pod is created and immediately runs a shell command that could indicate malicious behavior, such as persistence, privilege escalation, or remote command execution.

  2. Tools Monitored: It focuses on commands executed using common container management tools like kubectl, docker, nerdctl, and ctl.

  3. Shells and Commands: The query looks for the execution of various shell types (e.g., bash, sh, zsh) and checks if these shells are running commands that are considered suspicious. These suspicious commands include those related to:

    • Scheduling tasks (cron, at)
    • Modifying system files (sudoers, shadow)
    • Network activities (creating reverse shells)
    • Encoding/decoding payloads (base64, xxd)
    • Writing to unusual file locations
  4. Detection Logic:

    • It filters for processes where the command line includes the use of a container tool followed by a run command.
    • It then checks if any of the specified shells are executed with suspicious command patterns.
  5. Output: The query returns details such as the timestamp, device name, account name, file name, and command line of the process, among other details, to help identify and investigate the suspicious activity.

  6. Tags: The query is tagged with relevant security concepts like Linux Security, Containers, Kubernetes, Execution, Persistence, and Privilege Escalation, indicating its focus areas.

Overall, this query helps security teams monitor and detect early signs of potential exploitation in containerized environments by flagging suspicious shell executions following container or pod creation.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 14, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letdynamicin~hashas_anyprojectorder by

Actions

GitHub