Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
Sigma rule (View on GitHub)
1title: Kubernetes Rolebinding Modification
2id: 10b97915-ec8d-455f-a815-9a78926585f6
3related:
4 - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
5 type: similar
6status: experimental
7description: |
8 Detects when a Kubernetes Rolebinding is created or modified.
9references:
10 - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11 - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
12author: kelnage
13date: 2024-07-11
14tags:
15 - attack.privilege-escalation
16logsource:
17 product: kubernetes
18 service: audit
19detection:
20 selection:
21 objectRef.apiGroup: 'rbac.authorization.k8s.io'
22 objectRef.resource:
23 - 'clusterrolebindings'
24 - 'rolebindings'
25 verb:
26 - 'create'
27 - 'delete'
28 - 'patch'
29 - 'replace'
30 - 'update'
31 condition: selection
32falsepositives:
33 - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
34 - Automated processes may need to take these actions and may need to be filtered.
35level: medium
References
-
Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.
Read More -
Related rules
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT PRIVATELOG Image Load Pattern
- AWS Attached Malicious Lambda Layer
- AWS Glue Development Endpoint Activity