Falco monitors container runtime behaviour across all K8s nodes and sends Critical events to ntfy topic homelab-security. This page explains how to read the alert, what every tag means, and what to do when one fires.
Rule: Terminal shell in container
Priority: Critical
Node: k8s-node2
NS: default
Pod: nginx-6d4cf56db6-x7k2p
Image: nginx:latest
User: root
Cmd: bash
Tags: container, shell, T1059, mitre_execution
| Field | What it tells you |
|---|---|
| Rule | The Falco rule name that fired |
| Priority | Severity: Debug / Info / Notice / Warning / Error / Critical (only Critical reaches ntfy) |
| Node | Which K8s node the event happened on |
| NS | Kubernetes namespace of the pod |
| Pod | Pod name — use this for kubectl investigation |
| Image | Container image — check if this is expected to do what was detected |
| User | OS user inside the container (root = 0, negative loginuid = non-interactive) |
| Cmd | The exact command or process that triggered the rule |
| File | File path involved (only present for file-based rules) |
| Tags | Rule classification — see sections below |
Tactics describe the attacker's goal — the "why". One alert can belong to multiple tactics.
| Tag | MITRE ID | What the attacker is trying to do |
|---|---|---|
mitre_execution |
TA0002 | Run malicious code (shell, scripts, binaries) |
mitre_persistence |
TA0003 | Keep access after restart (cron jobs, init scripts, backdoors) |
mitre_privilege_escalation |
TA0004 | Gain higher privileges (sudo, setuid, kernel exploits) |
mitre_defense_evasion |
TA0005 | Hide presence (log deletion, binary modification, rootkits) |
mitre_credential_access |
TA0006 | Steal credentials (reading /etc/shadow, dumping secrets) |
mitre_discovery |
TA0007 | Explore the environment (reading configs, listing processes, K8s API calls) |
mitre_lateral_movement |
TA0008 | Move to other systems (SSH from container, K8s exec) |
mitre_collection |
TA0009 | Gather data before exfiltration (reading files, compressing data) |
mitre_exfiltration |
TA0010 | Send stolen data out (unexpected outbound connections) |
mitre_command_and_control |
TA0011 | Communicate with attacker infrastructure (reverse shell, beacons) |
mitre_impact |
TA0040 | Destroy or disrupt systems (rm -rf, service stop, ransomware) |
Techniques describe the specific method used. More precise than tactics.
| Tag | Technique | Triggered by |
|---|---|---|
T1059 |
Command and Scripting Interpreter | Shell spawned in container (bash, sh, zsh) |
T1204 |
User Execution | Unexpected binary execution in container |
T1609 |
Container Administration Command | kubectl exec into a running pod |
T1610 |
Deploy Container | Unexpected new container started |
| Tag | Technique | Triggered by |
|---|---|---|
T1543 |
Create or Modify System Process | Writing to /etc/cron*, /etc/init.d/, systemd units |
T1525 |
Implant Internal Image | Modifying a container image in-place |
T1078 |
Valid Accounts | Login with unexpected or privileged account |
| Tag | Technique | Triggered by |
|---|---|---|
T1068 |
Exploitation for Privilege Escalation | Kernel exploit attempts, privilege escalation syscalls |
T1548 |
Abuse Elevation Control Mechanism | sudo usage, setuid binary execution, chmod u+s |
T1611 |
Escape to Host | Container writing to host paths, namespace escape attempts |
| Tag | Technique | Triggered by |
|---|---|---|
T1070 |
Indicator Removal | Deleting logs (/var/log/), clearing bash history |
T1222 |
File and Directory Permissions Modification | chmod/chown on sensitive files |
T1553 |
Subvert Trust Controls | Modifying /etc/ssl/certs/, CA certificate manipulation |
T1554 |
Compromise Client Software Binary | Overwriting system binaries (/bin/, /usr/bin/) |
T1218 |
System Binary Proxy Execution | Using trusted binaries to run untrusted code (LOLBAS) |
| Tag | Technique | Triggered by |
|---|---|---|
T1552 |
Unsecured Credentials | Reading .env files, K8s secrets, cloud credentials |
T1555 |
Credentials from Password Stores | Reading /etc/shadow, /etc/passwd, SSH private keys |
T1557 |
Adversary-in-the-Middle | iptables modification, ARP poisoning tools |
| Tag | Technique | Triggered by |
|---|---|---|
T1613 |
Container and Resource Discovery | Reading K8s API, listing pods/secrets via kubectl |
T1133 |
External Remote Services | Unexpected outbound connection to external endpoints |
| Tag | Technique | Triggered by |
|---|---|---|
T1563 |
Remote Service Session Hijacking | SSH from inside a container, unexpected remote access |
| Tag | Technique | Triggered by |
|---|---|---|
T1560 |
Archive Collected Data | tar, zip, gzip on sensitive directories |
| Tag | Technique | Triggered by |
|---|---|---|
T1105 |
Ingress Tool Transfer | curl, wget, nc downloading executables into container |
| Tag | Technique | Triggered by |
|---|---|---|
T1485 |
Data Destruction | rm -rf on data directories, shred, truncate on important files |
T1489 |
Service Stop | Killing critical processes, stopping services |
T1496 |
Resource Hijacking | Outbound connections to crypto miner pool ports (3333, 14444, etc.) |
T1565 |
Data Manipulation | Writing to database files, modifying config files |
T1612 |
Build Image on Host | Running docker build inside a container |
These describe what type of system resource was involved. Not MITRE — just Falco's own classification.
| Tag | Meaning |
|---|---|
container |
Event happened inside a container (not the host OS) |
host |
Event happened directly on the K8s node host |
shell |
A shell process (bash, sh, zsh, fish) was involved |
filesystem |
File system read/write/permission change |
network |
Outbound or inbound network connection |
process |
Process spawning or execution |
users |
User account creation, modification, or unexpected login |
database |
Access to database data files (MySQL, Postgres data dirs) |
k8s |
Kubernetes API server audit event (kubectl commands) |
syscall |
Detected via raw system call interception (eBPF) |
cis |
Violates a CIS Kubernetes Benchmark control |
pci_dss |
Relevant to PCI-DSS compliance scope |
gdpr |
Relevant to GDPR compliance scope |
Every Falco rule has a maturity level. Higher maturity = lower false positive rate.
| Tag | Meaning | False Positive Rate | Action |
|---|---|---|---|
maturity_stable |
Well-tested rule, in production use by many orgs | Low | Take seriously, investigate promptly |
maturity_incubating |
Newer rule, may need tuning for your environment | Medium | Investigate but verify before escalating |
maturity_sandbox |
Experimental — enabled for detection research only | High | Note the pattern, but verify carefully before acting |
These are the rules most likely to fire in this homelab at Critical priority.
Rule: Terminal shell in container
Tags: container, shell, T1059, mitre_execution
What happened: Someone or something spawned an interactive shell (bash/sh) inside a running container with a TTY attached — exactly what kubectl exec -it does.
Legitimate cause: You ran kubectl exec -it <pod> -- bash for debugging.
Malicious cause: An attacker gained RCE via a web vulnerability and opened a reverse shell.
Check: Was this you? Cross-reference with the pod name and time. If unexpected, isolate the pod immediately:
kubectl delete pod <pod-name> -n <namespace>
Rule: Container Drift Detected (chmod)
Tags: container, T1204, mitre_execution, maturity_incubating
What happened: A new executable appeared in the container that was not part of the original image — and then chmod +x was called on it. This is a classic indicator of malware being dropped into a running container.
Legitimate cause: Almost never legitimate. Init scripts that install tools should be in the Dockerfile.
Malicious cause: Attacker uploaded a payload via a file upload vulnerability or wget/curl.
Check: Inspect what file was created:
kubectl exec -n <ns> <pod> -- find / -newer /proc/1 -type f -executable 2>/dev/null
Rule: Fileless execution via memfd_create
Tags: process, T1620, mitre_defense_evasion, maturity_stable
What happened: A process created an anonymous in-memory file using memfd_create() and then executed it. This is a fileless malware technique specifically designed to evade disk-based scanners — the payload never touches the filesystem.
Legitimate cause: Rare. Some JIT runtimes use this (Go, Java). Check if the image is expected to do JIT compilation.
Malicious cause: Shellcode loader, in-memory malware stage.
Action: High confidence malicious. Isolate immediately.
Rule: Read sensitive file untrusted
Tags: filesystem, T1555, mitre_credential_access, maturity_stable
What happened: A non-privileged or unexpected process read a sensitive file like /etc/shadow, /etc/sudoers, SSH private keys, or cloud credential files.
Common files: /etc/shadow, /etc/sudoers, /root/.ssh/id_rsa, ~/.aws/credentials, ~/.kube/config
Check: Is the Cmd field a known legitimate tool? If it's cat, grep, or an unexpected binary — investigate.
Rule: Detect outbound connections to common miner pool ports
Tags: network, T1496, mitre_impact, maturity_stable
What happened: A container made an outbound TCP connection to a known cryptocurrency mining pool port (3333, 4444, 5555, 7777, 14444, 45560).
Legitimate cause: None. No legitimate workload connects to mining pools.
Action: The pod is compromised. Delete it immediately, check image in Harbor for tampering:
kubectl delete pod <pod> -n <ns> --force
Rule: Symlink Created Over Sensitive Files
Tags: filesystem, T1548, mitre_privilege_escalation, maturity_stable
What happened: A symlink was created pointing from a sensitive file (/etc/passwd, /etc/cron.d/, /etc/shadow) to an attacker-controlled file — a classic privilege escalation / persistence technique.
Action: High confidence malicious. Isolate pod, check the host for the symlink.
# Check what the pod was doing (recent logs)
kubectl logs -n <ns> <pod> --tail=100
# Get a shell-free snapshot of running processes
kubectl exec -n <ns> <pod> -- ps aux
# List recently modified files in the container
kubectl exec -n <ns> <pod> -- find / -newer /proc/1 -not -path /proc -not -path /sys -type f 2>/dev/null
# Check outbound network connections
kubectl exec -n <ns> <pod> -- ss -tnp
# Describe the pod (check for hostPath mounts, privileged mode)
kubectl describe pod -n <ns> <pod>
# Cordon the node to prevent new pod scheduling while investigating
kubectl cordon <node-name>
# Delete a compromised pod immediately (use --force if stuck Terminating)
kubectl delete pod -n <ns> <pod> --force --grace-period=0
# Check Falco raw logs on the node where the event fired
kubectl logs -n falco -l app.kubernetes.io/name=falco --field-selector spec.nodeName=<node> --tail=50
| Item | Location |
|---|---|
| ArgoCD Application | core-components/falco/application.yaml |
| Helm values (rules, sidekick, ntfy template) | core-components/falco/values.yaml |
| VSO ntfy secret | core-components/falco/resources/ntfy-vaultstaticsecret.yaml |
| Vault secret path | kv/falco/ntfy (key: token) |
| ntfy topic | homelab-security |
| Minimum ntfy priority | critical (Warning/Error go to VictoriaLogs only) |