Skip to content

Delete Kubernetes events

Info

ID: MS-TA9022
Tactic: Defense Evasion
MITRE technique: T1070

A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.

Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.

Mitigations

ID Mitigation Description
MS-M9020 Collect Logs to Remote Data Storage Collect Kubernetes logs to a separate storage system.
MS-M9003 Adhere to least-privilege principle Restrict permissions to delete Kubernetes events.