From 3d88dc2cf5fbd25ad18209596bb8b4102125eee2 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 28 Jul 2022 15:19:15 -0400 Subject: [PATCH] [New Rule] Kubernetes Privileged Pod Created (#2070) * new rule privileged pod created created toml for new rule and added to the non-ecs-schema with all fields * Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml Co-authored-by: Justin Ibarra * Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml Co-authored-by: Justin Ibarra * Update rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml Co-authored-by: Justin Ibarra Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...ege_escalation_privileged_pod_created.toml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml new file mode 100644 index 000000000..8db4db42a --- /dev/null +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2022/07/05" +integration = "kubernetes" +maturity = "production" +min_stack_comments = "Necessary audit log fields not available prior to 8.2" +min_stack_version = "8.2" +updated_date = "2022/07/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has +access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the +privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with +the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the +environment, or setting up a command and control channel on the host. +""" +false_positives = [ + """ + By default a container is not allowed to access any devices on the host, but a "privileged" container is given + access to all devices on the host. This allows the container nearly all the same access as processes running on the + host. An administrator may want to run a privileged container to use operating system administrative capabilities + such as manipulating the network stack or accessing hardware devices from within the cluster. + """, +] +index = ["logs-kubernetes.*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Privileged Pod Created" +note = """## Setup + +The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", +] +risk_score = 47 +rule_id = "c7908cac-337a-4f38-b50d-5eeb78bdb531" +severity = "medium" +tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and + kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +