Kubernetes Suspicious Self-Subject Review
This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/06/30"
3integration = ["kubernetes"]
4maturity = "production"
5min_stack_comments = "New fields added to Kubernetes Integration"
6min_stack_version = "8.4.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a service account or node attempts to enumerate their own permissions via the
13selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like
14service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to
15determine what privileges they have to facilitate further movement or execution within the cluster.
16"""
17false_positives = [
18 """
19 An administrator may submit this request as an "impersonatedUser" to determine what privileges a particular service
20 account has been granted. However, an adversary may utilize the same technique as a means to determine the
21 privileges of another token other than that of the compromised account.
22 """,
23]
24index = ["logs-kubernetes.*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Kubernetes Suspicious Self-Subject Review"
28note = """## Setup
29
30The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms",
33 "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access",
34 "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340",
35]
36risk_score = 47
37rule_id = "12a2f15d-597e-4334-88ff-38a02cb1330b"
38severity = "medium"
39tags = ["Data Source: Kubernetes", "Tactic: Discovery"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset : "kubernetes.audit_logs"
45 and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
46 and kubernetes.audit.verb:"create"
47 and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews")
48 and (kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*)
49 or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*))
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1613"
57name = "Container and Resource Discovery"
58reference = "https://attack.mitre.org/techniques/T1613/"
59
60
61[rule.threat.tactic]
62id = "TA0007"
63name = "Discovery"
64reference = "https://attack.mitre.org/tactics/TA0007/"
Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.
References
Related rules
- Kubernetes Denied Service Account Request
- Azure Blob Container Access Level Modification
- Kubernetes Container Created with Excessive Linux Capabilities
- Kubernetes Exposed Service Created With Type NodePort
- Kubernetes Pod Created With HostIPC