Kubernetes Admission Controller Modification

calendar Oct 23, 2025 · attack.privilege-escalation attack.initial-access attack.defense-evasion attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007  ·
Share on: linkedin copy

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Sigma rule (View on GitHub)

 1title: Kubernetes Admission Controller Modification
 2id: eed82177-38f5-4299-8a76-098d50d225ab
 3related:
 4    - id: 6ad91e31-53df-4826-bd27-0166171c8040
 5      type: similar
 6status: test
 7description: |
 8        Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
 9references:
10    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
12author: kelnage
13date: 2024-07-11
14tags:
15    - attack.privilege-escalation
16    - attack.initial-access
17    - attack.defense-evasion
18    - attack.persistence
19    - attack.t1078
20    - attack.credential-access
21    - attack.t1552
22    - attack.t1552.007
23logsource:
24    product: kubernetes
25    service: audit
26detection:
27    selection:
28        objectRef.apiGroup: 'admissionregistration.k8s.io'
29        objectRef.resource:
30            - 'mutatingwebhookconfigurations'
31            - 'validatingwebhookconfigurations'
32        verb:
33            - 'create'
34            - 'delete'
35            - 'patch'
36            - 'replace'
37            - 'update'
38    condition: selection
39falsepositives:
40    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
41    - Automated processes may need to take these actions and may need to be filtered.
42level: medium

References

  • kube-apiserver Audit Configuration (v1)

    Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.


    Read More

  • How can the attackers use Kubernetes webhook? | Padok Security

    How can an attacker use malicious admission controllers to settle in your Kubernetes cluster without you being aware of it?


    Read More

Related rules

to-top