Detectionmediumtest

Kubernetes Admission Controller Modification

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

kelnageCreated Thu Jul 11eed82177-38f5-4299-8a76-098d50d225abapplication

Log Source

Kubernetesaudit

ProductKubernetes← raw: kubernetes

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        objectRef.apiGroup: 'admissionregistration.k8s.io'
        objectRef.resource:
            - 'mutatingwebhookconfigurations'
            - 'validatingwebhookconfigurations'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection

False Positives

Modifying the Kubernetes Admission Controller may need to be done by a system administrator.

Automated processes may need to take these actions and may need to be filtered.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0001 · Initial Access TA0005 · Defense Evasion TA0003 · Persistence TA0006 · Credential Access

Techniques

T1078 · Valid Accounts T1552 · Unsecured Credentials

Sub-techniques

T1552.007 · Container API

Related Rules

SimilarDetectionmedium

Google Cloud Kubernetes Admission Controller

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

eed82177-38f5-4299-8a76-098d50d225ab

Status

test

Level

medium

Type

Detection

Created

Thu Jul 11

Author

kelnage

Path

rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml

Raw Tags

attack.privilege-escalationattack.initial-accessattack.defense-evasionattack.persistenceattack.t1078attack.credential-accessattack.t1552attack.t1552.007

View on GitHub