From 8d50ab9e5f8a84e635f4209efec6900dce4aef50 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 24 Nov 2021 23:53:57 -0600
Subject: [PATCH] Create gcp_kubernetes_admission_controller.yml

---
 .../gcp_kubernetes_admission_controller.yml   | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/cloud/gcp/gcp_kubernetes_admission_controller.yml

diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml
new file mode 100644
index 000000000..40f94ee5a
--- /dev/null
+++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml
@@ -0,0 +1,29 @@
+title: Google Cloud Kubernetes Admission Controller
+id: 6ad91e31-53df-4826-bd27-0166171c8040
+description: Identifies when an admission controller is executed in GCP Kubernetes. Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook that the user deploys in the cluster. Attackers can use such webhooks for gaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/11/25
+references:
+    - https://cloud.google.com/kubernetes-engine/docs
+logsource:
+  product: gcp
+  service: gcp.audit
+detection:
+    selection:
+        gcp.audit.method_name: 
+            - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.create
+            - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.patch
+            - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.replace 
+            - admissionregistration.k8s.io.v*.validatingwebhookconfigurations.create
+            - admissionregistration.k8s.io.v*.validatingwebhookconfigurations.patch
+            - admissionregistration.k8s.io.v*.validatingwebhookconfigurations.replace
+    condition: selection
+level: medium
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.execution
+falsepositives:
+- Google Cloud Kubernetes Admission Controller may be done by a system administrator. 
+- If known behavior is causing false positives, it can be exempted from the rule.