Kubernetes Ephemeral Container Added to Pod

Status: production
Severity: medium
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects allowed updates to the pods/ephemeralcontainers subresource by a non-system identity. Ephemeral containers are commonly used for debugging (kubectl debug) but can also be abused to inject tooling into a running pod, access mounted secrets, and execute commands in the target pod context. Attackers with sufficient RBAC may use ephemeral containers to escalate privileges, move laterally, or establish persistence without deploying a new workload.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1609` Container Administration Command
Privilege Escalation	`T1611` Escape to Host

Event coverage

Provider	Event	Title
Kubernetes-pods	update-pods-ephemeralcontainers	update pods/ephemeralcontainers
Kubernetes-pods	patch-pods-ephemeralcontainers	patch pods/ephemeralcontainers

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Kubernetes Anonymous User Create/Update/Patch Pods Request (Elastic)
Kubernetes Create or Update Privileged Pod (Splunk)
Kubernetes Pod Created with a Sensitive hostPath Volume (Elastic)
Kubernetes Pod Created With HostIPC (Elastic)
Kubernetes Pod Created With HostNetwork (Elastic)
Kubernetes Pod Created With HostPID (Elastic)
Kubernetes Pod With Host Network Attachment (Splunk)

Rule body elastic

[metadata]
creation_date = "2026/05/07"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/05/07"

[rule]
author = ["Elastic"]
description = """
Detects allowed updates to the pods/ephemeralcontainers subresource by a non-system identity. Ephemeral containers are
commonly used for debugging (kubectl debug) but can also be abused to inject tooling into a running pod, access mounted
secrets, and execute commands in the target pod context. Attackers with sufficient RBAC may use ephemeral containers to
escalate privileges, move laterally, or establish persistence without deploying a new workload.
"""
false_positives = [
    """
    Cluster operators or SREs may legitimately use ephemeral containers for debugging production workloads. Baseline
    approved admin identities and tune exclusions for known automation.
    """,
]
from = "now-9m"
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Ephemeral Container Added to Pod"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Kubernetes Ephemeral Container Added to Pod

Ephemeral containers allow adding a container to an existing pod for troubleshooting. When abused, they can be used to
gain interactive access to a workload, read sensitive files, and run tools that were not present in the original image.

### Possible investigation steps

- Review the actor (user.name, groups), source.ip, and user_agent.original and confirm the identity is authorized to use ephemeral containers.
- Inspect kubernetes.audit.objectRef (namespace, name) to identify the targeted pod and workload owner.
- If request bodies are captured, review the ephemeral container image, command, and securityContext for privilege indicators.
- Correlate with follow-on audit activity such as pod exec, secret reads, TokenRequest, or RBAC modifications.

### Response and remediation

- If unauthorized, remove excessive RBAC that grants update/patch on pods/ephemeralcontainers and rotate exposed credentials.
- Quarantine or redeploy impacted workloads and hunt for additional compromised pods or identities.
"""
references = [
    "https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/",
]
risk_score = 47
rule_id = "c62733ff-9373-4fdf-9733-3d992e148c93"
severity = "medium"
tags = [
    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Use Case: Threat Detection",
    "Tactic: Privilege Escalation",
    "Tactic: Execution",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"pods" and
kubernetes.audit.objectRef.subresource:"ephemeralcontainers" and
kubernetes.audit.verb:("update" or "patch") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:(
  system\:node\:* or
  system\:serviceaccount\:kube-system\:*
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

Stages and Predicates

Stage 1: `query`

data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"pods" and
kubernetes.audit.objectRef.subresource:"ephemeralcontainers" and
kubernetes.audit.verb:("update" or "patch") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
not user.name:(
  system\:node\:* or
  system\:serviceaccount\:kube-system\:*
)

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`user.name`	starts_with	`system\:node\:`
`user.name`	starts_with	`system\:serviceaccount\:kube-system\:`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`kubernetes.audit_logs`
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`
`kubernetes.audit.objectRef.resource`	eq	`pods`
`kubernetes.audit.objectRef.subresource`	eq	`ephemeralcontainers`
`kubernetes.audit.verb`	in	`patch` `update`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Kubernetes Ephemeral Container Added to Pod

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Kubernetes Ephemeral Container Added to Pod

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Exclusions

Indicators

Stage 1: `query`