Kubernetes principal attempted to enumerate their permissions

kubernetes

Classification:

attack

Tactic:

TA0007-discovery

Set up the kubernetes integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Identify when a user is attempting to enumerate their permissions.

Strategy

This rule identifies when a user attempts to enumerate their permissions, for example, through the use of kubectl auth can-i --list. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.

Triage and response

  1. Determine if enumerating the permissions of the user: {{@usr.id}} is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.
  2. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
PREVIEWING: may/unit-testing