-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
new: Kubernetes Admission Controller Modification new: Kubernetes CronJob/Job Modification new: Kubernetes Rolebinding Modification new: Kubernetes Secrets Modified or Deleted new: Kubernetes Unauthorized or Unauthenticated Access --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
- Loading branch information
Showing
5 changed files
with
170 additions
and
0 deletions.
There are no files selected for viewing
39 changes: 39 additions & 0 deletions
39
rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: Kubernetes Admission Controller Modification | ||
id: eed82177-38f5-4299-8a76-098d50d225ab | ||
related: | ||
- id: 6ad91e31-53df-4826-bd27-0166171c8040 | ||
type: similar | ||
status: experimental | ||
description: | | ||
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials. | ||
references: | ||
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ | ||
- https://security.padok.fr/en/blog/kubernetes-webhook-attackers | ||
author: kelnage | ||
date: 2024/07/11 | ||
tags: | ||
- attack.persistence | ||
- attack.t1078 | ||
- attack.credential_access | ||
- attack.t1552 | ||
- attack.t1552.007 | ||
logsource: | ||
product: kubernetes | ||
service: audit | ||
detection: | ||
selection: | ||
objectRef.apiGroup: 'admissionregistration.k8s.io' | ||
objectRef.resource: | ||
- 'mutatingwebhookconfigurations' | ||
- 'validatingwebhookconfigurations' | ||
verb: | ||
- 'create' | ||
- 'delete' | ||
- 'patch' | ||
- 'replace' | ||
- 'update' | ||
condition: selection | ||
falsepositives: | ||
- Modifying the Kubernetes Admission Controller may need to be done by a system administrator. | ||
- Automated processes may need to take these actions and may need to be filtered. | ||
level: medium |
39 changes: 39 additions & 0 deletions
39
rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: Kubernetes CronJob/Job Modification | ||
id: 0c9b3bda-41a6-4442-9345-356ae86343dc | ||
related: | ||
- id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435 | ||
type: similar | ||
status: experimental | ||
description: | | ||
Detects when a Kubernetes CronJob or Job is created or modified. | ||
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. | ||
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence. | ||
references: | ||
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ | ||
- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob | ||
author: kelnage | ||
date: 2024/07/11 | ||
tags: | ||
- attack.persistence | ||
- attack.privilege_escalation | ||
- attack.execution | ||
logsource: | ||
product: kubernetes | ||
service: audit | ||
detection: | ||
selection: | ||
objectRef.apiGroup: 'batch' | ||
objectRef.resource: | ||
- 'cronjobs' | ||
- 'jobs' | ||
verb: | ||
- 'create' | ||
- 'delete' | ||
- 'patch' | ||
- 'replace' | ||
- 'update' | ||
condition: selection | ||
falsepositives: | ||
- Modifying a Kubernetes Job or CronJob may need to be done by a system administrator. | ||
- Automated processes may need to take these actions and may need to be filtered. | ||
level: medium |
35 changes: 35 additions & 0 deletions
35
rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
title: Kubernetes Rolebinding Modification | ||
id: 10b97915-ec8d-455f-a815-9a78926585f6 | ||
related: | ||
- id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e | ||
type: similar | ||
status: experimental | ||
description: | | ||
Detects when a Kubernetes Rolebinding is created or modified. | ||
references: | ||
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ | ||
- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab | ||
author: kelnage | ||
date: 2024/07/11 | ||
tags: | ||
- attack.privilege_escalation | ||
logsource: | ||
product: kubernetes | ||
service: audit | ||
detection: | ||
selection: | ||
objectRef.apiGroup: 'rbac.authorization.k8s.io' | ||
objectRef.resource: | ||
- 'clusterrolebindings' | ||
- 'rolebindings' | ||
verb: | ||
- 'create' | ||
- 'delete' | ||
- 'patch' | ||
- 'replace' | ||
- 'update' | ||
condition: selection | ||
falsepositives: | ||
- Modifying a Kubernetes Rolebinding may need to be done by a system administrator. | ||
- Automated processes may need to take these actions and may need to be filtered. | ||
level: medium |
32 changes: 32 additions & 0 deletions
32
rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: Kubernetes Secrets Modified or Deleted | ||
id: 58d31a75-a4f8-4c40-985b-373d58162ca2 | ||
related: | ||
- id: 2f0bae2d-bf20-4465-be86-1311addebaa3 | ||
type: similar | ||
status: experimental | ||
description: | | ||
Detects when Kubernetes Secrets are Modified or Deleted. | ||
references: | ||
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ | ||
- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ | ||
author: kelnage | ||
date: 2024/07/11 | ||
tags: | ||
- attack.credential_access | ||
logsource: | ||
product: kubernetes | ||
service: audit | ||
detection: | ||
selection: | ||
objectRef.resource: 'secrets' | ||
verb: | ||
- 'create' | ||
- 'delete' | ||
- 'patch' | ||
- 'replace' | ||
- 'update' | ||
condition: selection | ||
falsepositives: | ||
- Secrets being modified or deleted may be performed by a system administrator. | ||
- Automated processes may need to take these actions and may need to be filtered. | ||
level: medium |
25 changes: 25 additions & 0 deletions
25
rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
title: Kubernetes Unauthorized or Unauthenticated Access | ||
id: 0d933542-1f1f-420d-97d4-21b2c3c492d9 | ||
status: experimental | ||
description: | | ||
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. | ||
This may indicate an attacker attempting to leverage credentials they have obtained. | ||
references: | ||
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ | ||
- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues | ||
author: kelnage | ||
date: 2024/04/12 | ||
tags: | ||
- attack.privilege_escalation | ||
logsource: | ||
product: kubernetes | ||
service: audit | ||
detection: | ||
selection: | ||
responseStatus.code: | ||
- 401 # Unauthorized | ||
- 403 # Forbidden | ||
condition: selection | ||
falsepositives: | ||
- A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors. | ||
level: low |