Detect Suspicious ‘exec’ Commands in kube-system Namespace

We are excited to announce the release of a new threat detection type – exec command in a kube-system namespace.

This detection alerts you that kubectl exec has run a command in your environment in the kube-system namespace, which may indicate a suspicious activity. 

What is Kubectl Exec?

Kubectl is a command line tool used to communicate with Kubernetes clusters via the Kubernetes API. This is an admin tool for Kubernetes clusters that can be used to monitor Kubernetes status, manage and edit resources. 

Kubectl exec gives you full shell access to the container, meaning you can execute commands inside a container directly from kubectl. Before you use kubectl exec to execute a command in a container, you need to know the container namespaces in the cluster. kubectl exec is a powerful tool, it is primarily used for inspecting containers and viewing containers’ status and contents.

Indicators of Compromise

While kubectl exec is used for improving container monitoring and performance, it can also be used by bad actors even if one token of your kubernetes has gotten into the wrong hands. 

One sign of compromise can be if kubectl exec is used to execute a command in the kube-system namespace. The kube-system namespace is a default namespace that is used mostly for system-level components like kube-dns and kube-proxy. It is very unusual to execute commands inside pods or containers in the kube-system namespace because they should be immutable at runtime and acquire high permissions by default and have access to secrets and control-plane resources.

A kube-system attack often includes:

1. An attacker uses kubectl exec in the kube-system namespace, which has high permissions by default
2. The attacker then uses kubectl exec to run the exec command in a pod and establish a temporary shell session
3. Using kubectl exec and a temporary shell session then gives the attacker the ability to execute any process or command in the pod. 
4. The attacker then uses the interactive shell to run commands and gain access into the pod’s data, including permissions and secrets. 

Upwind leverages runtime data to rapidly identify unusual kubectl exec commands run in the kube-system namespace and immediately alert you to suspicious activity. Read more about Kubectl Exec detections in the Upwind Documentation Center.