The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity.
Clear container logs
Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.
Delete Kubernetes events
A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.
Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.
Pod / container name similarity
Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.
Also, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.
The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity.
Clear container logs
Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.
Delete Kubernetes events
A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.
Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.
Pod / container name similarity
Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.
Also, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.