Privilege Escalation: Launch of privileged Kubernetes container
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A potentially malicious actor created a Pod that contains privileged
containers or containers with privilege escalation capabilities.
A privileged container has the privileged field set to
true. A container with privilege escalation capabilities has the
allowPrivilegeEscalation field set to true. For more
information, see the SecurityContext
v1 core API reference in the Kubernetes documentation.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open the Privilege Escalation: Launch of privileged Kubernetes container
finding as directed in Reviewing findings.
The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Principal email: the account that made the call.
Kubernetes pods: the newly created Pod with privileged containers.
Affected resource, especially the following fields:
Resource display name: the Kubernetes cluster where the action
occurred.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
On the JSON tab, note the values of the finding fields:
findings.kubernetes.pods[].containers: the privileged container turned
up within the Pod.
Step 2: Check logs
On the Summary tab of the finding details in the
Google Cloud console, go to Logs Explorer by clicking the link in the
Cloud Logging URI field.
Check for other actions taken by the principal by using the following
filters:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Privilege Escalation: Launch of privileged Kubernetes container\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nA potentially malicious actor created a Pod that contains privileged\ncontainers or containers with privilege escalation capabilities.\n\nA privileged container has the `privileged` field set to\n`true`. A container with privilege escalation capabilities has the\n`allowPrivilegeEscalation` field set to `true`. For more\ninformation, see the [SecurityContext\nv1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#securitycontext-v1-core) API reference in the Kubernetes documentation.\n\n\u003cbr /\u003e\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open the `Privilege Escalation: Launch of privileged Kubernetes container`\n finding as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Principal email**: the account that made the call.\n - **Kubernetes pods**: the newly created Pod with privileged containers.\n - **Affected resource** , especially the following fields:\n - **Resource display name**: the Kubernetes cluster where the action occurred.\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. On the **JSON** tab, note the values of the finding fields:\n\n - **findings.kubernetes.pods\\[\\].containers**: the privileged container turned up within the Pod.\n\n### Step 2: Check logs\n\n1. On the **Summary** tab of the finding details in the Google Cloud console, go to **Logs Explorer** by clicking the link in the **Cloud Logging URI** field.\n2. Check for other actions taken by the principal by using the following\n filters:\n\n - `resource.labels.cluster_name=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e`\"`\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003ePRINCIPAL_EMAIL\u003c/var\u003e`\"`\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the value that you noted in the\n **Resource display name** field in the finding details.\n\n - \u003cvar translate=\"no\"\u003ePRINCIPAL_EMAIL\u003c/var\u003e: the value that you noted in the\n **Principal email** field in the finding details.\n\n### Step 3: Research attack and response methods\n\n1. Review MITRE ATT\\&CK framework entries for this finding type: [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/).\n2. Confirm that the container created requires access to host resources and kernel capabilities.\n3. Determine whether there are other signs of malicious activity by the principal in the logs.\n4. If the [principal email](#privilege_escalation_launch) isn't a service\n account, contact the owner of the account to confirm whether the legitimate\n owner conducted the action.\n\n If the principal email is a service account (IAM or\n Kubernetes), identify the source of the action to determine its\n legitimacy.\n5. To develop a response plan, combine your investigation results with\n MITRE research.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
