Pod Modification (672b2ebd-4310-4efe-bf03-7ab005298a74)
Changes made to a pod’s configuration or control data within a containerized cluster. This can include updating settings such as resource limits, environment variables, annotations, labels, or even the containers running within the pod. Pod modifications are often executed using commands like kubectl set, kubectl patch, or kubectl edit.
Data Collection Measures:
- Kubernetes API Server Audit Logs:
- Capture all API calls related to pod modification, such as PATCH, PUT, or UPDATE methods on v1/pods.
- Runtime Security Tools:
- Tools like Falco, Sysdig, and Kube-bench can monitor pod modifications at runtime and alert on policy violations.
- Container Orchestration Logs:
- Monitor events logged by Kubernetes itself (e.g.,
kubectl logs -n kube-system kube-controller-manager).
- Monitor events logged by Kubernetes itself (e.g.,
- SIEM and EDR Solutions:
- Use SIEM platforms (e.g., Splunk) to aggregate API server logs and detect patterns of unauthorized or suspicious pod modifications.
- Endpoint Detection and Response (EDR) tools configured with container visibility can monitor commands like
kubectlset orkubectl patch.
- Host-Based Monitoring:
- Collect and analyze logs for processes executing
kubectlcommands or interacting with Kubernetes configuration files (e.g.,.kube/config).
- Collect and analyze logs for processes executing
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Pod Modification (672b2ebd-4310-4efe-bf03-7ab005298a74) | mitre-data-component | Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92) | Attack Pattern | 1 |