Kubernetes Admission Webhook Created or Modified

calendar May 7, 2026 · Data Source: Kubernetes Domain: Kubernetes Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Resources: Investigation Guide  ·
Share on: linkedin copy

Detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities. Admission webhooks intercept every API request matching their rules before persistence, giving an attacker powerful capabilities: injecting malicious sidecars into every new pod via a mutating webhook, blocking security tooling deployments via a validating webhook, or silently exfiltrating pod specifications to an external server. Webhook manipulation is a stealthy persistence and defense evasion technique because the webhook configuration itself looks benign in kubectl output while actively modifying or intercepting all matching Kubernetes API traffic.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/05/05"
  3integration = ["kubernetes"]
  4maturity = "production"
  5updated_date = "2026/05/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations 
 11by non-system identities. Admission webhooks intercept every API request matching their rules before persistence, giving an 
 12attacker powerful capabilities: injecting malicious sidecars into every new pod via a mutating webhook, blocking security 
 13tooling deployments via a validating webhook, or silently exfiltrating pod specifications to an external server. 
 14Webhook manipulation is a stealthy persistence and defense evasion technique because the webhook configuration itself looks 
 15benign in kubectl output while actively modifying or intercepting all matching Kubernetes API traffic.
 16"""
 17false_positives = [
 18  """
 19  Cluster operators and GitOps automation may legitimately install or upgrade admission controllers (e.g. cert-manager,
 20  Gatekeeper, Kyverno, service mesh components). Validate change tickets and approved controllers before tuning.
 21  """,
 22]
 23from = "now-9m"
 24index = ["logs-kubernetes.audit_logs-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Kubernetes Admission Webhook Created or Modified"
 28note = """## Triage and analysis
 29
 30### Investigating Kubernetes Admission Webhook Created or Modified
 31
 32Admission webhooks can mutate or validate resources before they are persisted. A malicious webhook can inject sidecars,
 33alter securityContext, block defensive workloads, or exfiltrate pod specs. This rule alerts on allowed changes to
 34MutatingWebhookConfiguration and ValidatingWebhookConfiguration objects by identities outside common system patterns.
 35
 36### Possible investigation steps
 37
 38- Confirm the webhook resource and operation:
 39  - kubernetes.audit.objectRef.resource and kubernetes.audit.verb
 40  - kubernetes.audit.objectRef.name (the webhook configuration name)
 41- Attribute the actor and access path:
 42  - user.name (human vs service account vs node identity)
 43  - source.ip and user_agent.original
 44  - In cloud-managed clusters, map the identity to IAM/Entra principal data present in kubernetes.audit.user.extra.*.
 45- Extract the webhook destination and review for external exfiltration:
 46  - kubernetes.audit.requestObject.webhooks.clientConfig.url (suspicious when pointing to the public internet)
 47  - kubernetes.audit.requestObject.webhooks.clientConfig.service.* (in-cluster service; still validate namespace/name)
 48- Review impact-driving webhook settings:
 49  - failurePolicy (e.g., Ignore can make malicious webhooks stealthier by avoiding obvious outages)
 50  - namespaceSelector / objectSelector targeting (e.g., excluding kube-system while targeting everything else)
 51  - rules.operations and rules.resources (e.g., CREATE pods is consistent with broad sidecar injection)
 52  - sideEffects, timeoutSeconds, matchPolicy, reinvocationPolicy
 53- Scope blast radius and follow-on activity:
 54  - Hunt for pods created/updated after the webhook change that include unexpected containers, initContainers, env vars,
 55    volume mounts, or securityContext changes.
 56  - Check for concurrent RBAC changes, token creation, or secret access from the same identity and source IP.
 57
 58### False positive analysis
 59
 60- GitOps upgrades or controller installs can legitimately change admission webhooks. Validate the change against:
 61  - approved Helm/Git commits, change tickets, and expected controller namespaces
 62  - known controller identities (cert-manager, Gatekeeper, Kyverno, service mesh controllers)
 63
 64### Response and remediation
 65
 66- If unauthorized, revert or delete the webhook configuration from a known-good source (GitOps/Helm), then block the
 67  actor identity and rotate any credentials it used.
 68- If the webhook targeted pod creation, assume workload impact: identify affected namespaces/workloads, redeploy from
 69  trusted manifests/images, and validate that new pods are no longer being mutated.
 70- If an external clientConfig.url was used, treat it as potential data exfiltration and review egress/DNS logs for the
 71  destination around the alert window.
 72"""
 73risk_score = 47
 74rule_id = "4f8f7c08-ffb5-443f-86c6-0884c964df7b"
 75severity = "medium"
 76tags = [
 77  "Data Source: Kubernetes",
 78  "Domain: Kubernetes",
 79  "Use Case: Threat Detection",
 80  "Tactic: Persistence",
 81  "Tactic: Defense Evasion",
 82  "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "query"
 86query = '''
 87kubernetes.audit.objectRef.resource:("mutatingwebhookconfigurations" or "validatingwebhookconfigurations") and
 88kubernetes.audit.verb:("create" or "update" or "patch" or "delete") and
 89kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and 
 90user.name:(* and not 
 91  (system\:kube-controller-manager or
 92  system\:kube-scheduler or
 93  system\:serviceaccount\:kube-system\:* or
 94  eks\:* or aksService or masterclient or nodeclient or
 95  system\:serviceaccount\:gke-managed-system\:* or
 96  system\:serviceaccount\:cert-manager\:* or
 97  system\:serviceaccount\:gatekeeper-system\:* or
 98  system\:serviceaccount\:kyverno\:* or
 99  system\:serviceaccount\:*\:*-operator)
100) and
101kubernetes.audit.objectRef.name:(* and not (pod-identity-webhook or vpc-resource-mutating-webhook or eks-* or gke-*))
102'''
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1546"
109name = "Event Triggered Execution"
110reference = "https://attack.mitre.org/techniques/T1546/"
111
112[rule.threat.tactic]
113id = "TA0003"
114name = "Persistence"
115reference = "https://attack.mitre.org/tactics/TA0003/"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119
120[[rule.threat.technique]]
121id = "T1562"
122name = "Impair Defenses"
123reference = "https://attack.mitre.org/techniques/T1562/"
124
125[rule.threat.tactic]
126id = "TA0005"
127name = "Defense Evasion"
128reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Investigating Kubernetes Admission Webhook Created or Modified

Admission webhooks can mutate or validate resources before they are persisted. A malicious webhook can inject sidecars, alter securityContext, block defensive workloads, or exfiltrate pod specs. This rule alerts on allowed changes to MutatingWebhookConfiguration and ValidatingWebhookConfiguration objects by identities outside common system patterns.

Possible investigation steps

  • Confirm the webhook resource and operation:
    • kubernetes.audit.objectRef.resource and kubernetes.audit.verb
    • kubernetes.audit.objectRef.name (the webhook configuration name)
  • Attribute the actor and access path:
    • user.name (human vs service account vs node identity)
    • source.ip and user_agent.original
    • In cloud-managed clusters, map the identity to IAM/Entra principal data present in kubernetes.audit.user.extra.*.
  • Extract the webhook destination and review for external exfiltration:
    • kubernetes.audit.requestObject.webhooks.clientConfig.url (suspicious when pointing to the public internet)
    • kubernetes.audit.requestObject.webhooks.clientConfig.service.* (in-cluster service; still validate namespace/name)
  • Review impact-driving webhook settings:
    • failurePolicy (e.g., Ignore can make malicious webhooks stealthier by avoiding obvious outages)
    • namespaceSelector / objectSelector targeting (e.g., excluding kube-system while targeting everything else)
    • rules.operations and rules.resources (e.g., CREATE pods is consistent with broad sidecar injection)
    • sideEffects, timeoutSeconds, matchPolicy, reinvocationPolicy
  • Scope blast radius and follow-on activity:
    • Hunt for pods created/updated after the webhook change that include unexpected containers, initContainers, env vars, volume mounts, or securityContext changes.
    • Check for concurrent RBAC changes, token creation, or secret access from the same identity and source IP.

False positive analysis

  • GitOps upgrades or controller installs can legitimately change admission webhooks. Validate the change against:
    • approved Helm/Git commits, change tickets, and expected controller namespaces
    • known controller identities (cert-manager, Gatekeeper, Kyverno, service mesh controllers)

Response and remediation

  • If unauthorized, revert or delete the webhook configuration from a known-good source (GitOps/Helm), then block the actor identity and rotate any credentials it used.
  • If the webhook targeted pod creation, assume workload impact: identify affected namespaces/workloads, redeploy from trusted manifests/images, and validate that new pods are no longer being mutated.
  • If an external clientConfig.url was used, treat it as potential data exfiltration and review egress/DNS logs for the destination around the alert window.

Related rules

to-top