EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Cisco Isovalent - Pods Running Offensive Tools

The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.

MITRE ATT&CK

T1204.003

Detection Query

`cisco_isovalent_process_exec`  `linux_offsec_tool_processes`
| stats count
        min(_time) as firstTime
        max(_time) as lastTime
        values(process) as process
    by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___pods_running_offensive_tools_filter`

Author

Bhavin Patel, Splunk

Created

2026-03-10

Data Sources

Cisco Isovalent Process Exec

References

Tags

Cisco Isovalent Suspicious Activity
Raw Content
name: Cisco Isovalent - Pods Running Offensive Tools
id: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e
version: 3
date: '2026-03-10'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
    - Cisco Isovalent Process Exec
status: production
description: The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.
search: |
    `cisco_isovalent_process_exec`  `linux_offsec_tool_processes`
    | stats count
            min(_time) as firstTime
            max(_time) as lastTime
            values(process) as process
        by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_isovalent___pods_running_offensive_tools_filter`
how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior.
known_false_positives: Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. Please update a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems if your environment has additional known offensive tools that are not included in the macro.
references:
    - https://dev.to/thenjdevopsguy/attacking-a-kubernetes-cluster-enter-red-team-mode-2onj
    - https://www.reddit.com/r/kubernetes/comments/l6e5yr/one_of_our_kubernetes_containers_was_compromised/
drilldown_searches:
    - name: View the detection results for - "$pod_name$"
      search: '%original_detection_search% | search pod_name = "$pod_name$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$pod_name$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Offensive tool execution [$process_name$] detected in pod [$pod_name$] on cluster [$cluster_name$]
    risk_objects:
        - field: pod_name
          type: system
          score: 20
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Cisco Isovalent Suspicious Activity
    asset_type: Endpoint
    mitre_attack_id:
        - T1204.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log
          source: not_applicable
          sourcetype: cisco:isovalent:processExec