Kubernetes Exposed Service Created With Type NodePort

 1[metadata]
 2creation_date = "2022/07/05"
 3integration = ["kubernetes"]
 4maturity = "production"
 5min_stack_comments = "New fields added to Kubernetes Integration"
 6min_stack_version = "8.4.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to
13externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster
14that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod
15through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept
16traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers
17within a cluster. This creates a direct method of communication between the cluster and the outside world, which could
18be used for more malicious behavior and certainly widens the attack surface of your cluster.
19"""
20false_positives = [
21    """
22    Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a
23    Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the
24    Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from
25    outside the cluster, by requesting <NodeIP>:<NodePort>. NodePort unlike Loadbalancers, allow the freedom to set up
26    your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to
27    expose one or more node's IPs directly.
28    """,
29]
30index = ["logs-kubernetes.*"]
31language = "kuery"
32license = "Elastic License v2"
33name = "Kubernetes Exposed Service Created With Type NodePort"
34note = """## Setup
35
36The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
37references = [
38    "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types",
39    "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport",
40    "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/",
41]
42risk_score = 47
43rule_id = "65f9bccd-510b-40df-8263-334f03174fed"
44severity = "medium"
45tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Persistence"]
46timestamp_override = "event.ingested"
47type = "query"
48
49query = '''
50event.dataset : "kubernetes.audit_logs"
51  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
52  and kubernetes.audit.objectRef.resource:"services"
53  and kubernetes.audit.verb:("create" or "update" or "patch")
54  and kubernetes.audit.requestObject.spec.type:"NodePort"
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1133"
62name = "External Remote Services"
63reference = "https://attack.mitre.org/techniques/T1133/"
64
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"