Kubernetes Admission Controller Modification

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Sigma rule (View on GitHub)

 1title: Kubernetes Admission Controller Modification
 2id: eed82177-38f5-4299-8a76-098d50d225ab
 3related:
 4    - id: 6ad91e31-53df-4826-bd27-0166171c8040
 5      type: similar
 6status: experimental
 7description: |
 8        Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
 9references:
10    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
12author: kelnage
13date: 2024/07/11
14tags:
15    - attack.persistence
16    - attack.t1078
17    - attack.credential_access
18    - attack.t1552
19    - attack.t1552.007
20logsource:
21    product: kubernetes
22    service: audit
23detection:
24    selection:
25        objectRef.apiGroup: 'admissionregistration.k8s.io'
26        objectRef.resource:
27            - 'mutatingwebhookconfigurations'
28            - 'validatingwebhookconfigurations'
29        verb:
30            - 'create'
31            - 'delete'
32            - 'patch'
33            - 'replace'
34            - 'update'
35    condition: selection
36falsepositives:
37    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
38    - Automated processes may need to take these actions and may need to be filtered.
39level: medium

References

Related rules

to-top