Detection: Cisco Isovalent - Pods Running Offensive Tools

Updated Date: 2026-01-05 ID: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e Author: Bhavin Patel, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named linux_offsec_tool_processes that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.

Search

 1`cisco_isovalent_process_exec`  `linux_offsec_tool_processes`
 2
 3| stats count 
 4        min(_time) as firstTime 
 5        max(_time) as lastTime 
 6        values(process) as process
 7    by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
 8
 9| `security_content_ctime(firstTime)`
10
11| `security_content_ctime(lastTime)`
12
13| `cisco_isovalent___pods_running_offensive_tools_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco Isovalent Process Exec	Other	`'cisco:isovalent:processExec'`	`'not_applicable'`

Macros Used

Name	Value
cisco_isovalent_process_exec	`sourcetype=cisco:isovalent:processExec`
/* --- Exploitation Frameworks --- */ "metasploit", "msfconsole", "msfvenom", "empire", "pupy", "covenant", "havoc", "sliver-client", "sliver-server", "poshc2", "mythic", "evilginx", "beef-xss",
/* --- Credential Access / Cracking --- */ "hydra", "medusa", "john", "hashcat", "crowbar", "patator", "mimikatz", "impacket-",
/* --- Reconnaissance / Enumeration --- */ "ldapdomaindump", "enum4linux", "smbclient", "smbmap", "crackmapexec", "bloodhound", "sharphound", "linpeas", "linenum", "pspy", "ldpreload",
/* --- Privilege Escalation / Persistence --- */ "peass-ng", "linpeas", "linux-exploit-suggester", "les", "exploitdb", "persistence", "dirtycow", "dirtypipe", "sudo_killer")`
cisco_isovalent___pods_running_offensive_tools_filter	`search *`

cisco_isovalent___pods_running_offensive_tools_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1204.003	Malicious Image	Execution

Installation

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior.

Known False Positives

Security testing, approved red team exercises, or sanctioned diagnostics can trigger this analytic. Coordinate allowlists and maintenance windows with platform/SecOps teams. Please update a macro named linux_offsec_tool_processes that contains the list of known offensive tooling found on linux systems if your environment has additional known offensive tools that are not included in the macro.

Associated Analytic Story

Cisco Isovalent Suspicious Activity

Risk Based Analytics (RBA)

Risk Message:

Offensive tool execution [$process_name$] detected in pod [$pod_name$] on cluster [$cluster_name$]

Risk Object	Risk Object Type	Risk Score	Threat Objects
pod_name	system	48	process_name

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`not_applicable`	`cisco:isovalent:processExec`
Integration	✅ Passing	Dataset	`not_applicable`	`cisco:isovalent:processExec`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1