Kubernetes Admission Controller Modification

calendar Aug 12, 2024 · attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007  ·
Share on: linkedin copy

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Sigma rule (View on GitHub)

 1title: Kubernetes Admission Controller Modification
 2id: eed82177-38f5-4299-8a76-098d50d225ab
 3related:
 4    - id: 6ad91e31-53df-4826-bd27-0166171c8040
 5      type: similar
 6status: experimental
 7description: |
 8        Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
 9references:
10    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
12author: kelnage
13date: 2024-07-11
14tags:
15    - attack.persistence
16    - attack.t1078
17    - attack.credential-access
18    - attack.t1552
19    - attack.t1552.007
20logsource:
21    product: kubernetes
22    service: audit
23detection:
24    selection:
25        objectRef.apiGroup: 'admissionregistration.k8s.io'
26        objectRef.resource:
27            - 'mutatingwebhookconfigurations'
28            - 'validatingwebhookconfigurations'
29        verb:
30            - 'create'
31            - 'delete'
32            - 'patch'
33            - 'replace'
34            - 'update'
35    condition: selection
36falsepositives:
37    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
38    - Automated processes may need to take these actions and may need to be filtered.
39level: medium

References

  • kube-apiserver Audit Configuration (v1)

    Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.


    Read More

  • How can the attackers use Kubernetes webhook? | Padok Security

    How can an attacker use malicious admission controllers to settle in your Kubernetes cluster without you being aware of it?


    Read More

Related rules

to-top