1type: trigger
2name: crowdsecurity/k8s-audit-privileged-pod-creation
3description: "Detect privileged pod creation"
4filter: |
5  evt.Meta.log_type == 'k8s-audit' &&
6  (
7   (
8    evt.Meta.datasource_type == "k8s-audit" &&
9    evt.Unmarshaled.k8s_audit.Verb == 'create' &&
10    evt.Unmarshaled.k8s_audit.ObjectRef?.Resource == 'pods' &&
11    evt.Unmarshaled.k8s_audit.RequestObject != nil &&
12    evt.Unmarshaled.k8s_audit.RequestObject.spec != nil &&
13    any(evt.Unmarshaled.k8s_audit.RequestObject.spec.containers, { .securityContext != nil && .securityContext.privileged == true })
14   )
15   ||
16   (
17    evt.Meta.datasource_type != "k8s-audit" &&
18    evt.Unmarshaled.k8s_audit.verb == 'create' &&
19    evt.Unmarshaled.k8s_audit.objectRef?.resource == 'pods' &&
20    evt.Unmarshaled.k8s_audit.requestObject != nil &&
21    evt.Unmarshaled.k8s_audit.requestObject.spec != nil &&
22    any(evt.Unmarshaled.k8s_audit.requestObject.spec.containers, { .securityContext != nil && .securityContext.privileged == true })
23   )
24  )
25labels:
26  notification: true
27  classification:
28    - attack.T1610
29  behavior: "k8s:audit"
30  label: "Kubernetes Privileged Pod Creation"
31  spoofable: 0
32  confidence: 3
33  service: k8s
34