Kubernetes Pod Exec Potential Reverse Shell

Status: production
Severity: high
Time window: 6m
Author: Elastic
Source: github.com/elastic/detection-rules

Flags exec into a pod when the URL-decoded command payload resembles reverse-shell or bind-shell one-liners invocation patterns. Legitimate debug sessions sometimes use similar building blocks, but together these patterns align with post-exploitation interactive access and command-and-control.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter, `T1609` Container Administration Command

Event coverage

Provider	Event	Title
Kubernetes-pods	any-pods	any verb on pods (synthetic aggregation)

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Kubernetes Multi-Resource Discovery (Elastic)
Kubernetes Pod Exec Cloud Instance Metadata Access (Elastic)
Kubernetes Pod Exec Sensitive File or Credential Path Access (Elastic)
Kubernetes Pod Exec with Curl or Wget to HTTPS (Elastic)

Rule body elastic

[metadata]
creation_date = "2026/04/23"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/04/23"

[rule]
author = ["Elastic"]
description = """
Flags exec into a pod when the URL-decoded command payload resembles reverse-shell or bind-shell
one-liners invocation patterns. Legitimate debug sessions sometimes use similar building blocks, but together 
these patterns align with post-exploitation interactive access and command-and-control.
"""
from = "now-6m"
interval = "5m"
language = "esql"
license = "Elastic License v2"
name = "Kubernetes Pod Exec Potential Reverse Shell"
note = """## Triage and analysis

### Investigating Kubernetes Pod Exec Potential Reverse Shell

The rule inspects Kubernetes audit exec requestURI values, URL-decodes them, parses the command query fragment, and 
matches high-signal shell and socket idioms often used to obtain a allback shell from inside a container.

### Possible investigation steps

- Identify the actor (kubernetes.audit.user.username, groups, impersonation), source IP, and user agent
  (human kubectl vs automation).
- Resolve the target namespace, pod, and container from kubernetes.audit.objectRef.* and correlate with
  workload ownership and change tickets.
- Pull the raw and decoded URI from the alert document and replay the inferred command in a sandbox only if policy
  allows—otherwise rely on audit and platform logs.
- Hunt nearby events from the same identity: secret reads, pods/exec to other workloads, RoleBinding
  changes, or anonymous API use.

### False positive analysis

- Security training, CTF-style images, or vendor diagnostics may include bash redirection or /dev/tcp examples;
  baseline approved images and break-glass accounts.
- Some observability or mesh sidecars use socat or sockets in ways that could overlap; validate container image and
  command lineage.

### Response and remediation

- If malicious, terminate the exec session, isolate the workload or node, rotate credentials reachable from the
  pod, and revoke pods/exec for the abused principal unless strictly required.
"""
references = [
    "https://attack.mitre.org/techniques/T1609/",
    "https://attack.mitre.org/techniques/T1059/",
]
risk_score = 73
rule_id = "f1a2b3c4-d5e6-4789-a012-3456789abc01"
severity = "high"
tags = [
    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Tactic: Command and Control",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
| WHERE kubernetes.audit.objectRef.subresource == "exec"
  AND kubernetes.audit.requestURI LIKE "*command=*"
| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
| EVAL command = REPLACE(raw_commands, "command=", "")
| EVAL command = REPLACE(command, "&", " ")
| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
| WHERE Esql.executed_command IS NOT NULL 
| WHERE Esql.executed_command IS NOT NULL AND command RLIKE """.*(/dev/tcp/|/dev/udp/|zsh/net/tcp|zsh/net/udp|nc\s+-e|ncat\s+-e|netcat\s+-e|nc\s.*\s-c\s|mkfifo|socat\s.*exec|socat\s.*pty|bash\s+-i\s+>&|0>&1|>&\s*/dev/tcp|import\s+socket.*connect|import\s+pty.*spawn|socket\.socket.*connect|IO::Socket::INET|fsockopen|TCPSocket\.new|/inet/tcp/).*""" AND 
 // local service health check patterns
  NOT command RLIKE """.*/dev/tcp/(localhost|127\.0\.0\.1)/(8080|8443|9090|3000|5000|8888|80|443).*"""
| KEEP *
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

Stages and Predicates

Stage 1: `from`

FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version

Stage 2: `where`

| WHERE kubernetes.audit.objectRef.subresource == "exec"
  AND kubernetes.audit.requestURI LIKE "*command=*"

Stage 3: `eval`

| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)

Stage 4: `grok`

| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"

Stage 5: `eval`

| EVAL command = REPLACE(raw_commands, "command=", "")

Stage 6: `eval`

| EVAL command = REPLACE(command, "&", " ")

Stage 7: `eval`

| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")

Stage 8: `where`

| WHERE Esql.executed_command IS NOT NULL

Stage 9: `where`

| WHERE Esql.executed_command IS NOT NULL AND command RLIKE """.*(/dev/tcp/|/dev/udp/|zsh/net/tcp|zsh/net/udp|nc\s+-e|ncat\s+-e|netcat\s+-e|nc\s.*\s-c\s|mkfifo|socat\s.*exec|socat\s.*pty|bash\s+-i\s+>&|0>&1|>&\s*/dev/tcp|import\s+socket.*connect|import\s+pty.*spawn|socket\.socket.*connect|IO::Socket::INET|fsockopen|TCPSocket\.new|/inet/tcp/).*""" AND
  NOT command RLIKE """.*/dev/tcp/(localhost|127\.0\.0\.1)/(8080|8443|9090|3000|5000|8888|80|443).*"""

Stage 10: `keep`

| KEEP *

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`command`	regex_match	`./dev/tcp/(localhost\|127.0.0.1)/(8080\|8443\|9090\|3000\|5000\|8888\|80\|443).`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Esql.executed_command`	is_not_null	(no value, null check)
`command`	regex_match	`.(/dev/tcp/\|/dev/udp/\|zsh/net/tcp\|zsh/net/udp\|nc\s+-e\|ncat\s+-e\|netcat\s+-e\|nc\s.\s-c\s\|mkfifo\|socat\s.exec\|socat\s.pty\|bash\s+-i\s+>&\|0>&1\|>&\s/dev/tcp\|import\s+socket.connect\|import\s+pty.spawn\|socket.socket.connect\|IO::Socket::INET\|fsockopen\|TCPSocket.new\|/inet/tcp/).*`
`kubernetes.audit.objectRef.subresource`	eq	`exec`
`kubernetes.audit.requestURI`	wildcard	`command=`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`*`	`KEEP *`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Kubernetes Pod Exec Potential Reverse Shell

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `from`

Stage 2: `where`

Stage 3: `eval`

Stage 4: `grok`

Stage 5: `eval`

Stage 6: `eval`

Stage 7: `eval`

Stage 8: `where`

Stage 9: `where`

Stage 10: `keep`

Exclusions

Indicators

Output fields

Keyboard shortcuts

Search operators

Kubernetes Pod Exec Potential Reverse Shell

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: from

Stage 2: where

Stage 3: eval

Stage 4: grok

Stage 5: eval

Stage 6: eval

Stage 7: eval

Stage 8: where

Stage 9: where

Stage 10: keep

Exclusions

Indicators

Output fields

Stage 1: `from`

Stage 2: `where`

Stage 3: `eval`

Stage 4: `grok`

Stage 5: `eval`

Stage 6: `eval`

Stage 7: `eval`

Stage 8: `where`

Stage 9: `where`

Stage 10: `keep`