EXPLORE
← Back to Explore
elasticmediumTTP

GKE User Exec into Pod

Detects the first occurrence of a non-system GKE identity establishing an exec session into a pod. kubectl exec enables interactive command execution inside workloads and is a common post-compromise technique to access secrets and expand access.

MITRE ATT&CK

execution

Detection Query

data_stream.dataset:gcp.audit and event.action:("io.k8s.core.v1.pods.exec.create" or "io.k8s.core.v1.pods.exec.get") and
not user.email:system\:*

Author

Elastic

Created

2026/06/30

Data Sources

GCPGoogle Cloud Platformlogs-gcp.audit-*

Tags

Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: ExecutionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/30"
integration = ["gcp"]
maturity = "production"
updated_date = "2026/06/30"

[rule]
author = ["Elastic"]
description = """
Detects the first occurrence of a non-system GKE identity establishing an exec session into a pod. kubectl exec enables
interactive command execution inside workloads and is a common post-compromise technique to access secrets and expand
access.
"""
false_positives = [
    """
    Administrators routinely exec into pods for troubleshooting. Baseline expected users and target pods, then exclude
    known break-glass identities.
    """,
]
from = "now-6m"
index = ["logs-gcp.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "GKE User Exec into Pod"
note = """## Triage and analysis

### Investigating GKE User Exec into Pod

This new-terms rule alerts on the first exec into a given pod by a user identity in the lookback window.

### Investigation steps

- Review `user.email`, `orchestrator.resource.name`, `source.ip`, and `user_agent.original`.
- Determine whether the target pod holds sensitive data or cluster credentials.
- Correlate with secret access or RBAC changes from the same identity.

### False positives

- Approved admin debugging; exclude stable operator identities after review.

## Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
references = [
    "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
]
risk_score = 47
rule_id = "c040c962-1c60-4259-8ea3-601a40d4ab9f"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: Kubernetes",
    "Data Source: GCP",
    "Data Source: Google Cloud Platform",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
data_stream.dataset:gcp.audit and event.action:("io.k8s.core.v1.pods.exec.create" or "io.k8s.core.v1.pods.exec.get") and
not user.email:system\:*
'''

[rule.new_terms]
field = "new_terms_fields"
value = ["user.email", "orchestrator.resource.name"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"