From 2c4157066faeeb4dc49923c3c8bdf18e84f5e436 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 30 Jun 2025 10:20:33 +0200 Subject: [PATCH] [New Rule] Kubernetes Forbidden Creation Request (#4843) --- .../execution_forbidden_creation_request.toml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/integrations/kubernetes/execution_forbidden_creation_request.toml diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml new file mode 100644 index 000000000..86447c2c7 --- /dev/null +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2025/06/24" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2025/06/24" + +[rule] +author = ["Elastic"] +description = """ +This rule detects attempts to create resources in Kubernetes clusters that are forbidden by the authorization policy. It +specifically looks for creation requests that are denied with a "forbid" decision, indicating that the user or service +account does not have the necessary permissions to perform the action. This activity is commonly associated with +adversaries attempting to create resources in a Kubernetes environment without proper authorization, which can lead to +unauthorized access, manipulation of cluster resources, lateral movement and/or privilege escalation. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "eql" +license = "Elastic License v2" +name = "Kubernetes Forbidden Creation Request" +risk_score = 47 +rule_id = "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a" +severity = "medium" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Execution" + ] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and +kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"