From 877714d3bbed5e646ddfa6a1bce2f4d9f70a5e26 Mon Sep 17 00:00:00 2001
From: Patrick <pbareiss@splunk.com>
Date: Thu, 14 Dec 2023 14:31:10 +0100
Subject: [PATCH] Kubernetes Privileged Pod

---
 .../kubernetes_privileged_pod.json                    |  3 +++
 .../kubernetes_privileged_pod.yml                     | 11 +++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json
 create mode 100644 datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml

diff --git a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json
new file mode 100644
index 00000000..c9f3a11b
--- /dev/null
+++ b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7d82ba47ac8df48a7c2256406e4afe32f43dc0836c8aaeca876079831bb51e6e
+size 5107
diff --git a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml
new file mode 100644
index 00000000..bd784544
--- /dev/null
+++ b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 462dfa0b-7aa4-4498-927b-8d9743141e3a
+date: '2023-12-14'
+description: Kubernetes audit logs which contains a creation of a privilged pod.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1204