[New Rule] Kubernetes Privileged Pod Created (#2070)

* new rule privileged pod created created toml for new rule and added to the non-ecs-schema with all fields * Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2022-07-28 15:19:15 -04:00
parent 80734b3f21
commit 3d88dc2cf5
1 changed files with 62 additions and 0 deletions
@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2022/07/05"
+integration = "kubernetes"
+maturity = "production"
+min_stack_comments = "Necessary audit log fields not available prior to 8.2"
+min_stack_version = "8.2"
+updated_date = "2022/07/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has
+access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the
+privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with
+the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the
+environment, or setting up a command and control channel on the host.
+"""
+false_positives = [
+    """
+    By default a container is not allowed to access any devices on the host, but a "privileged" container is given
+    access to all devices on the host. This allows the container nearly all the same access as processes running on the
+    host. An administrator may want to run a privileged container to use operating system administrative capabilities
+    such as manipulating the network stack or accessing hardware devices from within the cluster.
+    """,
+]
+index = ["logs-kubernetes.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Privileged Pod Created"
+note = """## Setup
+
+The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF",
+    "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
+]
+risk_score = 47
+rule_id = "c7908cac-337a-4f38-b50d-5eeb78bdb531"
+severity = "medium"
+tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and
+  kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1611"
+name = "Escape to Host"
+reference = "https://attack.mitre.org/techniques/T1611/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+