Kubernetes Rolebinding Modification

Detects when a Kubernetes Rolebinding is created or modified.

Sigma rule (View on GitHub)

 1title: Kubernetes Rolebinding Modification
 2id: 10b97915-ec8d-455f-a815-9a78926585f6
 3related:
 4    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
 5      type: similar
 6status: experimental
 7description: |
 8        Detects when a Kubernetes Rolebinding is created or modified.
 9references:
10    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
12author: kelnage
13date: 2024/07/11
14tags:
15    - attack.privilege_escalation
16logsource:
17    product: kubernetes
18    service: audit
19detection:
20    selection:
21        objectRef.apiGroup: 'rbac.authorization.k8s.io'
22        objectRef.resource:
23            - 'clusterrolebindings'
24            - 'rolebindings'
25        verb:
26            - 'create'
27            - 'delete'
28            - 'patch'
29            - 'replace'
30            - 'update'
31    condition: selection
32falsepositives:
33    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
34    - Automated processes may need to take these actions and may need to be filtered.
35level: medium

References

Related rules

to-top