Google Cloud Kubernetes RoleBinding
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
Sigma rule (View on GitHub)
1title: Google Cloud Kubernetes RoleBinding
2id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
3status: test
4description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
5references:
6 - https://github.com/elastic/detection-rules/pull/1267
7 - https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
8 - https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
9 - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
10 - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
11author: Austin Songer @austinsonger
12date: 2021-08-09
13modified: 2022-10-09
14tags:
15 - attack.credential-access
16logsource:
17 product: gcp
18 service: gcp.audit
19detection:
20 selection:
21 gcp.audit.method_name:
22 - io.k8s.authorization.rbac.v*.clusterrolebindings.create
23 - io.k8s.authorization.rbac.v*.rolebindings.create
24 - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
25 - io.k8s.authorization.rbac.v*.rolebindings.patch
26 - io.k8s.authorization.rbac.v*.clusterrolebindings.update
27 - io.k8s.authorization.rbac.v*.rolebindings.update
28 - io.k8s.authorization.rbac.v*.clusterrolebindings.delete
29 - io.k8s.authorization.rbac.v*.rolebindings.delete
30 condition: selection
31falsepositives:
32 - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
33 - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
34level: medium
References
-
Issues Resolves #1191 Summary Contributor checklist Have you signed the contributor license agreement? Have you followed the contributor guidelines?
Read More -
ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
Read More -
Autopilot Standard This page shows you how to authorize actions on resources in your Google Kubernetes Engine (GKE) clusters using the built-in role-based access control (RBAC) mechanism in Kuberne...
Read More -
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API. To enable RBAC, start the API server with the --authorization-mode flag set to a comma-separated list that includes RBAC; for example: kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options API objects The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding.
Read More -
Autopilot Standard This document describes the audit logs created by Google Kubernetes Engine as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the que...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity