Azure Kubernetes Rolebindings Created

 1[metadata]
 2creation_date = "2021/10/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
11(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
12create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
13high privileges roles.
14"""
15from = "now-20m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Kubernetes Rolebindings Created"
20note = """## Triage and analysis
21
22> **Disclaimer**:
23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
24
25### Investigating Azure Kubernetes Rolebindings Created
26Azure Kubernetes role bindings are crucial for managing access control within Kubernetes clusters, allowing specific permissions to be assigned to users, groups, or service accounts. Adversaries with the ability to create these bindings can escalate privileges by assigning themselves or others high-level roles, such as cluster-admin. The detection rule monitors Azure activity logs for successful creation events of role or cluster role bindings, signaling potential unauthorized privilege escalation attempts.
27
28### Possible investigation steps
29
30- Review the Azure activity logs to identify the user or service account associated with the role binding creation event. Focus on the `event.dataset` and `azure.activitylogs.operation_name` fields to confirm the specific operation.
31- Check the `event.outcome` field to ensure the operation was successful and not a failed attempt, which might indicate a misconfiguration or testing.
32- Investigate the permissions and roles assigned to the identified user or service account to determine if they have legitimate reasons to create role bindings or cluster role bindings.
33- Examine the context of the role binding creation, such as the time of the event and any related activities, to identify any unusual patterns or correlations with other suspicious activities.
34- Verify if the role binding grants elevated privileges, such as cluster-admin, and assess the potential impact on the cluster's security posture.
35- Cross-reference the event with any recent changes in the cluster's configuration or access policies to understand if the role binding creation aligns with authorized administrative actions.
36
37### False positive analysis
38
39- Routine administrative tasks may trigger alerts when legitimate users create role bindings for operational purposes. To manage this, identify and whitelist specific user accounts or service accounts that regularly perform these tasks.
40- Automated deployment tools or scripts that configure Kubernetes clusters might create role bindings as part of their normal operation. Exclude these tools by filtering out known service accounts or IP addresses associated with these automated processes.
41- Scheduled maintenance or updates to the Kubernetes environment can result in multiple role binding creation events. Establish a maintenance window and suppress alerts during this period to avoid unnecessary noise.
42- Development and testing environments often have frequent role binding changes. Consider creating separate monitoring rules with adjusted thresholds or risk scores for these environments to reduce false positives.
43- Collaboration with the DevOps team can help identify expected role binding changes, allowing for preemptive exclusion of these events from triggering alerts.
44
45### Response and remediation
46
47- Immediately revoke any newly created role bindings or cluster role bindings that are unauthorized or suspicious to prevent further privilege escalation.
48- Isolate the affected Kubernetes cluster from the network to prevent potential lateral movement or further exploitation by the adversary.
49- Conduct a thorough review of recent activity logs to identify any unauthorized access or changes made by the adversary, focusing on the time frame around the alert.
50- Reset credentials and access tokens for any compromised accounts or service accounts involved in the unauthorized role binding creation.
51- Escalate the incident to the security operations team for further investigation and to determine if additional clusters or resources are affected.
52- Implement additional monitoring and alerting for any future role binding or cluster role binding creation events to ensure rapid detection and response.
53- Review and tighten role-based access control (RBAC) policies to ensure that only necessary permissions are granted to users, groups, and service accounts, minimizing the risk of privilege escalation.
54
55## Setup
56
57The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
58references = [
59    "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
60    "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
61]
62risk_score = 21
63rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
64severity = "low"
65tags = [
66    "Domain: Cloud",
67    "Data Source: Azure",
68    "Use Case: Identity and Access Audit",
69    "Tactic: Privilege Escalation",
70    "Resources: Investigation Guide",
71]
72timestamp_override = "event.ingested"
73type = "query"
74
75query = '''
76event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
77	("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
78	 "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
79event.outcome:(Success or success)
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85
86[rule.threat.tactic]
87id = "TA0004"
88name = "Privilege Escalation"
89reference = "https://attack.mitre.org/tactics/TA0004/"