Kubernetes Unauthorized or Unauthenticated Access

calendar Mar 4, 2025 · attack.privilege-escalation  ·
Share on: linkedin copy

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Sigma rule (View on GitHub)

 1title: Kubernetes Unauthorized or Unauthenticated Access
 2id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
 3status: test
 4description: |
 5    Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
 6    This may indicate an attacker attempting to leverage credentials they have obtained.    
 7references:
 8    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
 9    - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
10author: kelnage
11date: 2024-04-12
12tags:
13    - attack.privilege-escalation
14logsource:
15    product: kubernetes
16    service: audit
17detection:
18    selection:
19        responseStatus.code:
20            - 401 # Unauthorized
21            - 403 # Forbidden
22    condition: selection
23falsepositives:
24    - A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
25level: low

References

  • kube-apiserver Audit Configuration (v1)

    Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.


    Read More

  • How to monitor Kubernetes audit logs | Datadog

    Learn how to use Kubernetes audit logs to debug issues and get clarity into your workloads.


    Read More

Related rules

to-top