Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
Sigma rule (View on GitHub)
1title: Kubernetes Secrets Modified or Deleted
2id: 58d31a75-a4f8-4c40-985b-373d58162ca2
3related:
4 - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
5 type: similar
6status: experimental
7description: |
8 Detects when Kubernetes Secrets are Modified or Deleted.
9references:
10 - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11 - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
12author: kelnage
13date: 2024-07-11
14tags:
15 - attack.credential-access
16logsource:
17 product: kubernetes
18 service: audit
19detection:
20 selection:
21 objectRef.resource: 'secrets'
22 verb:
23 - 'create'
24 - 'delete'
25 - 'patch'
26 - 'replace'
27 - 'update'
28 condition: selection
29falsepositives:
30 - Secrets being modified or deleted may be performed by a system administrator.
31 - Automated processes may need to take these actions and may need to be filtered.
32level: medium
References
-
Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity