Update execution_suspicious_pod_or_container_creation_command_execution.toml

Aegrah · web-flow · commit 523ddb493b86 · 2025-12-01T11:16:26.000+01:00
diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
@@ -8,9 +8,9 @@ updated_date = "2025/12/01"
 author = ["Elastic"]
 description = """
 This rule detects the creation of pods or containers that execute suspicious commands often associated with persistence or
-privilege escalation techniques. Attackers may use container orchestration tools like Kubernetes ("kubectl") or container
-runtimes like Docker ("docker") to create pods or containers that run shell commands (e.g., "bash", "sh", "zsh") with
-arguments that indicate attempts to establish persistence (e.g., modifying startup scripts, creating backdoors).
+privilege escalation techniques. Attackers may use container orchestration tools like kubectl or container runtimes like
+docker to create pods or containers that run shell commands with arguments that indicate attempts to establish persistence
+(e.g., modifying startup scripts, creating backdoors).
 """
 from = "now-9m"
 index = [
