Kubernetes detection coverage

← Back to main site

Home/ Targets/ Kubernetes

⎈Kubernetes detections

Clankerusecase tracks 60 detection use cases covering the Kubernetes attack surface across 43 MITRE ATT&CK techniques.

Detections targeting Kubernetes clusters — audit logs, pod creation, RBAC, container escapes.

Open Detection Library → View on the matrix

60Use cases

43Techniques

17Articles

5Kill-chain phases

Delivery (1)

[LLM] Docker / Kubernetes pull of compromised ghcr.io/elementary-data/elementary image Bespoke delivery · alerting DSΣPDDCS

Exploitation (6)

[WEEKLY] Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool Internal exploit · alerting DSΣPDD [LLM] Jupyter Enterprise Gateway /api/kernels POST with KERNEL_* YAML-injection payload Bespoke exploit · hunting DSPDD [LLM] Enterprise Gateway service account creates Jupyter kernel pod as root (CVE-2026-44180 outcome) Bespoke exploit · alerting SPDDCW [LLM] PraisonAI Python subprocess spawns OS shell with discovery / credential-reading commands Bespoke exploit · alerting DSPDDCS Article-specific behavioural hunt — Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks aga Bespoke exploit · hunting DSP Article-specific behavioural hunt — CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran Bespoke exploit · hunting DSP

Installation (9)

Kubernetes ClusterRole / binding deleted Internal install · alerting DD Kubernetes pod created with privileged flag Internal install · alerting DD Kubernetes RBAC role binding created Internal install · alerting DD Kubernetes admission webhook configuration modified Internal install · alerting DD [LLM] Privileged or root pod created by Jupyter Enterprise Gateway ServiceAccount Bespoke install · alerting SΣPDDCW [LLM] Enterprise Gateway python container spawns shell or reads K8s service-account token (CVE-2026-44181 RCE) Bespoke install · alerting DSΣPDDCS [LLM] Cron/persistence file written on Kubernetes worker node from container runtime context Bespoke install · alerting DSΣPDDCS [LLM] TeamPCP rope.pyz Dropper Infection Markers on Linux Bespoke install · alerting DSΣPDDCS [LLM] Malicious privileged DaemonSet apply in kube-system (host-provisioner-iran / host-provisioner-std / kamikaze) Bespoke install · alerting DSΣPDDCS

Command & Control (3)

[LLM] Egress to typosquatted C2 flipboxstudio.info (Laravel-Lang Composer SC) Bespoke c2 · alerting DSΣPDDCS [LLM] TeamPCP Checkmarx KICS supply-chain stealer C2 callback (audit.checkmarx.cx / 94.154.172.43) Bespoke c2 · hunting DSΣPDDCS [LLM] CI/CD Linux build host outbound to gist.githubusercontent.com (tj-actions IOC pattern) Bespoke c2 · alerting DSΣPDD

Actions on Objectives (41)

Kubernetes Secret accessed Internal actions · alerting DD [WEEKLY] Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internal actions · alerting DSPDD Amazon EKS Kubernetes Pod scan detection ESCU actions · hunting P Kubernetes Abuse of Secret by Unusual Location ESCU actions · hunting P Kubernetes Abuse of Secret by Unusual User Agent ESCU actions · hunting P Kubernetes Abuse of Secret by Unusual User Group ESCU actions · hunting P Kubernetes Abuse of Secret by Unusual User Name ESCU actions · hunting P Kubernetes Anomalous Inbound Network Activity from Process ESCU actions · hunting P Kubernetes Anomalous Inbound Outbound Network IO ESCU actions · hunting P Kubernetes Anomalous Inbound to Outbound Network IO Ratio ESCU actions · hunting P Kubernetes Anomalous Outbound Network Activity from Process ESCU actions · hunting P Kubernetes Anomalous Traffic on Network Edge ESCU actions · hunting P Kubernetes Create or Update Privileged Pod ESCU actions · hunting P Kubernetes Cron Job Creation ESCU actions · hunting P Kubernetes DaemonSet Deployed ESCU actions · hunting P Kubernetes newly seen TCP edge ESCU actions · hunting P Kubernetes newly seen UDP edge ESCU actions · hunting P Kubernetes Node Port Creation ESCU actions · hunting P Kubernetes Pod Created in Default Namespace ESCU actions · hunting P Kubernetes Pod With Host Network Attachment ESCU actions · hunting P Kubernetes Previously Unseen Container Image Name ESCU actions · hunting P Kubernetes Previously Unseen Process ESCU actions · hunting P Kubernetes Process Running From New Path ESCU actions · hunting P Kubernetes Process with Anomalous Resource Utilisation ESCU actions · hunting P Kubernetes Process with Resource Ratio Anomalies ESCU actions · hunting P Kubernetes Shell Running on Worker Node ESCU actions · hunting P Kubernetes Shell Running on Worker Node with CPU Activity ESCU actions · hunting P Kubernetes Suspicious Image Pulling ESCU actions · hunting P Kubernetes Unauthorized Access ESCU actions · hunting P Hunting for Log4Shell ESCU actions · hunting P GCP Kubernetes cluster scan detection ESCU actions · alerting P [LLM] Non-browser process fan-out reading SSH/npm/Docker/AWS/browser credential stores on Arch host Bespoke actions · hunting DSPDDCS [LLM] Enterprise Gateway service account creates privileged / hostPath / RBAC-escalating pod (CVE-2026-44181 post-exploit) Bespoke actions · alerting SΣPDDCW [LLM] Jupyter kernel pod created with hostPath volume by enterprise-gateway SA Bespoke actions · alerting SPDDCW [LLM] Lateral movement via aws ssm send-command or kubectl exec spawned by python/node Bespoke actions · alerting DSΣPDDCSCW [LLM] Kubernetes API curl/wget with ServiceAccount token from container Bespoke actions · alerting DSΣPDDCSCW [LLM] Container default credential leak — PKP_DB_PASSWORD=changeMePlease and --secret Bespoke actions · hunting DSΣPDDCS [LLM] Python Process Reading Multi-Cloud Credential Stores (durabletask Stealer Stage) Bespoke actions · hunting DSPDDCS [LLM] Kubernetes privileged-pod DaemonSet fan-out from compromised LiteLLM workload Bespoke actions · hunting SPDD [LLM] In-cluster Kubernetes secret enumeration with Python user-agent (litellm stealer K8s pivot) Bespoke actions · alerting DSΣPDDCS [LLM] TeamPCP exfiltration archive — tpcp.tar.gz file creation on host Bespoke actions · alerting DSΣPDD

Recent articles citing Kubernetes-targeted detections

crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security

crit [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering

crit [GHSA / CRITICAL] CVE-2026-44181: Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execut

crit [GHSA / CRITICAL] CVE-2026-44180: Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass

high Why EDR and proxy won’t save you from supply chain malware

high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

crit Containers on fire: from container escapes to supply chain attacks

crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro

crit What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant

crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised

high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!

high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection

high You Patched LiteLLM, But Do You Know Your AI Blast Radius?

crit litellm: Credential Stealer Hidden in PyPI Wheel

high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

high How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners