Sigma rules for CVE-2019-1002101
24 rules · scoped to cve · back to CVE-2019-1002101
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
- id: 225d8b09-e714-479c-a0e4-55e6f29adf35
type: derived
status: test
description: |
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.stealth
- attack.t1070
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'events'
condition: selection
falsepositives:
- Unknown
level: medium
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
- id: 6ad91e31-53df-4826-bd27-0166171c8040
type: similar
status: test
description: |
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'admissionregistration.k8s.io'
objectRef.resource:
- 'mutatingwebhookconfigurations'
- 'validatingwebhookconfigurations'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Kubernetes CronJob/Job Modification
id: 0c9b3bda-41a6-4442-9345-356ae86343dc
related:
- id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
type: similar
status: test
description: |
Detects when a Kubernetes CronJob or Job is created or modified.
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
author: kelnage
date: 2024-07-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'batch'
objectRef.resource:
- 'cronjobs'
- 'jobs'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
- https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
- attack.execution
- attack.discovery
- attack.t1609
- attack.t1613
logsource:
product: kubernetes
service: audit
detection:
selection_status:
responseStatus.code: 'ALLOW'
selection_request_uri:
requestURI|contains:
# Shells Encoded
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
# Shells Plain
- '/bin/ash'
- '/bin/bash'
- '/bin/busybox'
- '/bin/dash'
- '/bin/sh'
- '/bin/zsh'
# Tools Encoded
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
# Tools Plain
- '/usr/bin/curl'
- '/usr/bin/kubectl'
- '/usr/bin/perl'
- '/usr/bin/python'
- '/usr/bin/wget'
selection_request_user_agent:
userAgent|contains:
- 'access_matrix' # Rakkess
- 'trufflehog' # Secret scanning tool
- 'azurehound' # Azure/Cloud discovery
- 'micro-scanner' # Vulnerability scanning
condition: selection_status and 1 of selection_request_*
falsepositives:
- Authorized administrative maintenance via kubectl
- Automated internal infrastructure monitoring and certificate rotation
- Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium
title: Kubernetes Secrets Modified or Deleted
id: 58d31a75-a4f8-4c40-985b-373d58162ca2
related:
- id: 2f0bae2d-bf20-4465-be86-1311addebaa3
type: similar
status: test
description: |
Detects when Kubernetes Secrets are Modified or Deleted.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
author: kelnage
date: 2024-07-11
tags:
- attack.credential-access
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.resource: 'secrets'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Kubernetes Rolebinding Modification
id: 10b97915-ec8d-455f-a815-9a78926585f6
related:
- id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
type: similar
status: test
description: |
Detects when a Kubernetes Rolebinding is created or modified.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'rbac.authorization.k8s.io'
objectRef.resource:
- 'clusterrolebindings'
- 'rolebindings'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
status: test
description: Identifies the deletion of Azure Kubernetes Pods.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes CronJob
id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
status: test
description: |
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-18
tags:
- attack.persistence
- attack.t1053.003
- attack.privilege-escalation
- attack.execution
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
- '/CRONJOBS/WRITE'
- '/JOBS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1531
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
status: test
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: test
description: |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
- io.k8s.authorization.rbac.v*.rolebindings.patch
- io.k8s.authorization.rbac.v*.clusterrolebindings.update
- io.k8s.authorization.rbac.v*.rolebindings.update
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
falsepositives:
- RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
status: test
description: Identifies when the Secrets are Modified or Deleted.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes CronJob
id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
status: test
description: |
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://cloud.google.com/kubernetes-engine/docs
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.api.batch.v*.Job
- io.k8s.api.batch.v*.CronJob
condition: selection
falsepositives:
- Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1498
- attack.impact
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: low
title: Kubernetes Unauthorized or Unauthenticated Access
id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
status: test
description: |
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
This may indicate an attacker attempting to leverage credentials they have obtained.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
author: kelnage
date: 2024-04-12
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
responseStatus.code:
- 401 # Unauthorized
- 403 # Forbidden
condition: selection
falsepositives:
- A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
level: low
title: Kubernetes Secrets Enumeration
id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
related:
- id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
type: derived
status: test
description: Detects enumeration of Kubernetes secrets.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1552.007
- attack.credential-access
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'list'
objectRef.resource: 'secrets'
condition: selection
falsepositives:
- The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
level: low
title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
- id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
type: derived
status: test
description: |
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.persistence
- attack.t1136
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'serviceaccounts'
condition: selection
falsepositives:
- Unknown
level: low
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low