The initial deployment or instantiation of a new pod in a containerized environment. This includes creating a pod manually, through orchestration tools (Kubernetes), or via Infrastructure-as-Code (IaC) configurations. A Pod is the smallest deployable unit in Kubernetes, typically containing one or more containers. Creation methods include:- Direct pod deployment (kubectl run
, kubectl apply
)- Automated deployment via CI/CD pipelines (e.g., ArgoCD, Jenkins, GitOps)- Infrastructure-as-Code (IaC) templates (e.g., Terraform, Helm Charts)- API-based deployments via Kubernetes control plane (create_pod API calls)- Pods can be ephemeral (short-lived) or persistent (part of a StatefulSet or Deployment).
Data Collection Measures:
create
events.PodSandboxChanged
, SyncLoop
, Created pod
container start
, container create
The initial deployment or instantiation of a new pod in a containerized environment. This includes creating a pod manually, through orchestration tools (Kubernetes), or via Infrastructure-as-Code (IaC) configurations. A Pod is the smallest deployable unit in Kubernetes, typically containing one or more containers. Creation methods include:- Direct pod deployment (kubectl run
, kubectl apply
)- Automated deployment via CI/CD pipelines (e.g., ArgoCD, Jenkins, GitOps)- Infrastructure-as-Code (IaC) templates (e.g., Terraform, Helm Charts)- API-based deployments via Kubernetes control plane (create_pod API calls)- Pods can be ephemeral (short-lived) or persistent (part of a StatefulSet or Deployment).
Data Collection Measures:
create
events.PodSandboxChanged
, SyncLoop
, Created pod
container start
, container create
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1610 | Deploy Container |
Monitor for newly constructed pods that may deploy a container into an environment to facilitate execution or evade defenses. |
Extracting a list of running or existing pods within a containerized cluster environment. Pods are the smallest deployable units in a Kubernetes cluster and typically represent an application or workload. Enumeration of pods provides insight into the structure and state of applications running in the cluster, such as the names of pods, their namespaces, and their associated metadata.
Data Collection Measures:
/api/v1/pods
.kubectl get pods
.kubectl
is installed using tools like auditd, Sysmon for Linux, or kernel modules.Extracting a list of running or existing pods within a containerized cluster environment. Pods are the smallest deployable units in a Kubernetes cluster and typically represent an application or workload. Enumeration of pods provides insight into the structure and state of applications running in the cluster, such as the names of pods, their namespaces, and their associated metadata.
Data Collection Measures:
/api/v1/pods
.kubectl get pods
.kubectl
is installed using tools like auditd, Sysmon for Linux, or kernel modules.Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1613 | Container and Resource Discovery |
Monitor logs for actions that could be taken to gather information about pods, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. |
Changes made to a pod’s configuration or control data within a containerized cluster. This can include updating settings such as resource limits, environment variables, annotations, labels, or even the containers running within the pod. Pod modifications are often executed using commands like kubectl set, kubectl patch, or kubectl edit.
Data Collection Measures:
kubectl logs -n kube-system kube-controller-manager
).kubectl
set or kubectl patch
.kubectl
commands or interacting with Kubernetes configuration files (e.g., .kube/config
).Changes made to a pod’s configuration or control data within a containerized cluster. This can include updating settings such as resource limits, environment variables, annotations, labels, or even the containers running within the pod. Pod modifications are often executed using commands like kubectl set, kubectl patch, or kubectl edit.
Data Collection Measures:
kubectl logs -n kube-system kube-controller-manager
).kubectl
set or kubectl patch
.kubectl
commands or interacting with Kubernetes configuration files (e.g., .kube/config
).Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1610 | Deploy Container |
Monitor for changes made to pods for unexpected modifications to settings and/or control data that may deploy a container into an environment to facilitate execution or evade defenses. |