Anonymous request authorized

gcp.k8s.cluster

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an unauthenticated request user is permitted in Kubernetes.

Strategy

This rule monitors when any action is permitted (@http.status_code:[100 TO 299]) for an unauthenticated user (@user.username:\"system:anonymous\"). The /livez and /readyz endpoints are commonly accessed unauthenticated and are excluded in the query filter.

Triage and response

  1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.
  2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: dgreen15/github-error-fix