Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

RBAC Permission Enumeration Attempt

Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Leo TsaousisCreated Tue Mar 2684b777bd-c946-4d17-aa2e-c39f5a454325application
Log Source
Kubernetesapplicationaudit
ProductKubernetes← raw: kubernetes
Categoryapplication← raw: application
Serviceaudit← raw: audit
Detection Logic
Detection Logic1 selector
detection:
    selection:
        verb: 'create'
        apiGroup: 'authorization.k8s.io'
        objectRef.resource: 'selfsubjectrulesreviews'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
elastic.co
MITRE ATT&CK
Rule Metadata
Rule ID
84b777bd-c946-4d17-aa2e-c39f5a454325
Status
test
Level
low
Type
Detection
Created
Tue Mar 26
Author
Leo Tsaousis
Path
rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml
Raw Tags
attack.t1069.003attack.t1087.004attack.discovery
View on GitHub