Detect Suspicious ‘exec’ Commands in kube-system Namespace

Diagram showing a command prompt with kubectl exec leading to a blue kube-system namespace node. Dashed red and blue lines indicate connections or paths, with the upwind logo at the top left.
Denise Ashur

By Denise Ashur

Apr 10, 2024

We are excited to announce the release of a new threat detection type – exec command in a kube-system namespace.

This detection alerts you that kubectl exec has run a command in your environment in the kube-system namespace, which may indicate a suspicious activity. 

What is Kubectl Exec?

Kubectl is a command line tool used to communicate with Kubernetes clusters via the Kubernetes API. This is an admin tool for Kubernetes clusters that can be used to monitor Kubernetes status, manage and edit resources. 

Kubectl exec gives you full shell access to the container, meaning you can execute commands inside a container directly from kubectl. Before you use kubectl exec to execute a command in a container, you need to know the container namespaces in the cluster. kubectl exec is a powerful tool, it is primarily used for inspecting containers and viewing containers’ status and contents.

Indicators of Compromise

While kubectl exec is used for improving container monitoring and performance, it can also be used by bad actors even if one token of your kubernetes has gotten into the wrong hands. 

Screenshot-2024-04-04-at-3.21.14 PM-1024x560

One sign of compromise can be if kubectl exec is used to execute a command in the kube-system namespace. The kube-system namespace is a default namespace that is used mostly for system-level components like kube-dns and kube-proxy. It is very unusual to execute commands inside pods or containers in the kube-system namespace because they should be immutable at runtime and acquire high permissions by default and have access to secrets and control-plane resources.

A kube-system attack often includes:

  1. An attacker uses kubectl exec in the kube-system namespace, which has high permissions by default
  2. The attacker then uses kubectl exec to run the exec command in a pod and establish a temporary shell session
  3. Using kubectl exec and a temporary shell session then gives the attacker the ability to execute any process or command in the pod. 
  4. The attacker then uses the interactive shell to run commands and gain access into the pod’s data, including permissions and secrets. 

Upwind leverages runtime data to rapidly identify unusual kubectl exec commands run in the kube-system namespace and immediately alert you to suspicious activity. Read more about Kubectl Exec detections in the Upwind Documentation Center.

Detect Suspicious ‘exec’ Commands in kube-system Namespace

Further Reading

Illustration of a grid with two purple icons: a house on the left and a fingerprint on the right. The top left corner features the word upwind in black lowercase letters with a purple accent. The background is light with faint outlines.
Product

Introducing Upwind Dashboards: Simplify Security Monitoring & Reporting

Joshua

By Joshua Burgin

Dec 30, 2024

We are introducing four powerful new dashboards in the Upwind platform to simplify monitoring and reporting for security executives. These four new dashboards each offer a high-level overview of security risk, performance over time, and prioritized risk analysis to focus you on what matters most.  Home Dashboard  This dashboard is Upwind’s new home page, providing executives with […]

Diagram featuring colorful, dotted paths connecting cloud and security icons, including AWS. The upwind logo is in the top left corner. The background is white.
Product

How Upwind Leverages AWS CloudTrail for Enhanced Threat Detection Capabilities

Denise Ashur

By Denise Ashur

Dec 11, 2024

As a part of Upwind’s runtime-powered threat detection capabilities, the Upwind Platform integrates seamlessly with AWS CloudTrail to provide real-time monitoring and detection of cloud logs. By leveraging AWS CloudTrail Logs generated at runtime, Upwind is able to provide deep runtime context and automatically alert you to suspicious or malicious log events. What is CloudTrail? […]

Diagram showing a grid of 25 pink circles with warning symbols on the left transforming into a grid of 25 circles with only two pink warning symbols on the right. Arrows indicate transition from left to right. Upwind is in the top left corner.
Product

Introducing The Next Generation of Shift Left Security, Powered by Runtime

Joshua

By Joshua Burgin

Dec 05, 2024

Today, we’re thrilled to introduce Upwind Shift Left – a major new capability in the Upwind platform that brings the power of runtime intelligence to CI/CD pipelines, transforming how teams secure their software at every step. By marrying real-world runtime context with build-time best practices, this next-generation solution redefines shift left for modern cloud security. […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security