Detectionmediumtest
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azureactivitylogs
ProductAzure← raw: azure
Serviceactivitylogs← raw: activitylogs
Detection Logic
Detection Logic1 selector
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selectionFalse Positives
RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
MITRE ATT&CK
Rule Metadata
Rule ID
25cb259b-bbdc-4b87-98b7-90d7c72f8743
Status
test
Level
medium
Type
Detection
Created
Sat Aug 07
Modified
Tue Aug 23
Author
Path
rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml
Raw Tags
attack.impactattack.credential-accessattack.t1485attack.t1496attack.t1489