Kubernetes pod command executed
Description
AlphaSOC detected interactive command execution within a Kubernetes pod. This activity involves accessing a running container directly through kubectl exec or similar tools. Threat actors can exploit this capability to run unauthorized commands and bypass security controls.
Impact
Adversaries with direct pod access can execute arbitrary commands, modify container contents, access sensitive data, and pivot to other containers or nodes in the cluster. This access bypasses standard deployment processes and audit mechanisms.
Severity
| Severity | Condition |
|---|---|
Low | Kubernetes pod command executed |
Investigation and Remediation
Review the Kubernetes audit logs to identify the user, the source IP address, and the commands that were executed. Determine whether the access aligns with approved operational procedures and originates from authorized administrators. Investigate any unexpected commands or access patterns. Implement pod security policies to restrict interactive access and require that privileged access requests be made through formal channels.