Detectionlowtest

Kubernetes Unauthorized or Unauthenticated Access

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

kelnageCreated Fri Apr 120d933542-1f1f-420d-97d4-21b2c3c492d9application

Log Source

Kubernetesaudit

ProductKubernetes← raw: kubernetes

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        responseStatus.code:
            - 401 # Unauthorized
            - 403 # Forbidden
    condition: selection

False Positives

A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation

Rule Metadata

Rule ID

0d933542-1f1f-420d-97d4-21b2c3c492d9

Status

test

Level

low

Type

Detection

Created

Fri Apr 12

Author

kelnage

Path

rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml

Raw Tags

attack.privilege-escalation

View on GitHub