Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

Kubernetesapplicationaudit

T1611 · Escape to HostTA0004 · Privilege Escalation

Leo TsaousisTue Mar 26application

Detectionmediumtest

Creation Of Pod In System Namespace

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Kubernetesapplicationaudit

TA0005 · Defense EvasionT1036.005 · Match Legitimate Name or Location

Leo TsaousisTue Mar 26application

Detectionlowtest

Privileged Container Deployed

Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Kubernetesapplicationaudit

T1611 · Escape to HostTA0004 · Privilege Escalation

Leo TsaousisTue Mar 26application

Detectionlowtest

Kubernetes Secrets Enumeration

Detects enumeration of Kubernetes secrets.

Kubernetesapplicationaudit

T1552.007 · Container APITA0006 · Credential Access

Leo TsaousisTue Mar 26application

Detectionlowtest

New Kubernetes Service Account Created

Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.

Kubernetesapplicationaudit

TA0003 · PersistenceT1136 · Create Account

Leo TsaousisTue Mar 26application

Detectionmediumtest

Potential Sidecar Injection Into Running Deployment

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Kubernetesapplicationaudit

T1609 · Container Administration CommandTA0002 · Execution

Leo TsaousisTue Mar 26application

Detectionhightest

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

rpc_firewallapplication

TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Schedule Task Recon via AtScv

Detects remote RPC calls to read information about scheduled tasks via AtScv

rpc_firewallapplication

TA0007 · Discovery

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

rpc_firewallapplication

T1033 · System Owner/User DiscoveryTA0007 · Discovery

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication

TA0008 · Lateral Movement

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

rpc_firewallapplication

TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionTA0008 · Lateral Movement+2

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Schedule Task Recon via ITaskSchedulerService

Detects remote RPC calls to read information about scheduled tasks

rpc_firewallapplication

TA0007 · Discovery

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

rpc_firewallapplication

TA0008 · Lateral Movement

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote DCOM/WMI Lateral Movement

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

rpc_firewallapplication

TA0008 · Lateral MovementTA0002 · ExecutionT1021.003 · Distributed Component Object ModelT1047 · Windows Management Instrumentation

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

rpc_firewallapplication

TA0005 · Defense EvasionTA0008 · Lateral MovementT1112 · Modify RegistryTA0003 · Persistence

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Registry Recon

Detects remote RPC calls to collect information

rpc_firewallapplication

TA0007 · Discovery

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Server Service Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

rpc_firewallapplication

TA0008 · Lateral Movement

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication

TA0008 · Lateral MovementTA0002 · ExecutionT1569.002 · Service Execution

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Remote Schedule Task Lateral Movement via SASec

Detects remote RPC calls to create or execute a scheduled task via SASec

rpc_firewallapplication

TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2

Sagie Dulce+1Sat Jan 01application

Detectionhightest

Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

rpc_firewallapplication

TA0007 · Discovery

Sagie Dulce+1Sat Jan 01application

Detectionhightest

SharpHound Recon Account Discovery

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication

T1087 · Account DiscoveryTA0007 · Discovery

Sagie Dulce+1Sat Jan 01application

Detectionhightest

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication

TA0007 · DiscoveryT1033 · System Owner/User Discovery

Sagie Dulce+1Sat Jan 01application

Detectionmediumtest

Azure Application Deleted

Identifies when a application is deleted in Azure.

Azureactivitylogs

TA0005 · Defense EvasionTA0040 · ImpactT1489 · Service Stop

Austin SongerFri Sep 03cloud

Detectionmediumtest

Azure Application Gateway Modified or Deleted

Identifies when a application gateway is modified or deleted.

Azureactivitylogs

TA0040 · Impact

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Application Security Group Modified or Deleted

Identifies when a application security group is modified or deleted.

Azureactivitylogs

TA0040 · Impact

Austin SongerMon Aug 16cloud

Detectionlowtest

Azure Container Registry Created or Deleted

Detects when a Container Registry is created or deleted.

Azureactivitylogs

TA0040 · ImpactT1485 · Data DestructionT1496 · Resource HijackingT1489 · Service Stop

Austin SongerSat Aug 07cloud

Detectionmediumtest

Azure Device No Longer Managed or Compliant

Identifies when a device in azure is no longer managed or compliant

Azureactivitylogs

TA0040 · Impact

Austin SongerFri Sep 03cloud

Detectionmediumtest

Azure Device or Configuration Modified or Deleted

Identifies when a device or device configuration in azure is modified or deleted.

Azureactivitylogs

TA0040 · ImpactT1485 · Data DestructionT1565.001 · Stored Data Manipulation

Austin SongerFri Sep 03cloud

Detectionmediumtest

Azure DNS Zone Modified or Deleted

Identifies when DNS zone is modified or deleted.

Azureactivitylogs

TA0040 · ImpactT1565.001 · Stored Data Manipulation

Austin SongerSun Aug 08cloud

Detectionmediumtest

Azure Firewall Modified or Deleted

Identifies when a firewall is created, modified, or deleted.

Azureactivitylogs

TA0040 · ImpactTA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall

Austin SongerSun Aug 08cloud

Detectionmediumtest

Azure Firewall Rule Collection Modified or Deleted

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Azureactivitylogs

TA0040 · ImpactTA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall

Austin SongerSun Aug 08cloud

Detectionmediumtest

Azure Keyvault Key Modified or Deleted

Identifies when a Keyvault Key is modified or deleted in Azure.

Azureactivitylogs

TA0040 · ImpactTA0006 · Credential AccessT1552 · Unsecured CredentialsT1552.001 · Credentials In Files

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Key Vault Modified or Deleted

Identifies when a key vault is modified or deleted.

Azureactivitylogs

TA0040 · ImpactTA0006 · Credential AccessT1552 · Unsecured CredentialsT1552.001 · Credentials In Files

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Keyvault Secrets Modified or Deleted

Identifies when secrets are modified or deleted in Azure.

Azureactivitylogs

TA0040 · ImpactTA0006 · Credential AccessT1552 · Unsecured CredentialsT1552.001 · Credentials In Files

Austin SongerMon Aug 16cloud

Detectionmediumtest

Azure Kubernetes Admission Controller

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Azureactivitylogs

TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+4

Austin SongerThu Nov 25cloud

Detectionlowtest

Azure Kubernetes Cluster Created or Deleted

Detects when a Azure Kubernetes Cluster is created or deleted.

Azureactivitylogs

TA0040 · ImpactT1485 · Data DestructionT1496 · Resource HijackingT1489 · Service Stop

Austin SongerSat Aug 07cloud

Detectionmediumtest

Azure Kubernetes CronJob

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Azureactivitylogs

TA0003 · PersistenceT1053.003 · CronTA0004 · Privilege EscalationTA0002 · Execution

Austin SongerMon Nov 22cloud

Detectionmediumtest