A Kubernetes user was assigned cluster administrator permissions

kubernetes

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the kubernetes integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitors when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

  1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
  2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
  3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

  • 20 September 2022 - Updated tags.
  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: dgreen15/github-error-fix