security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Kubernetes Rolebindings Created (#1576)

Browse Source 
* Create azure_kubernetes_rolebinding_created_or_deleted.toml

* Update

* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 521f0987ae)
This commit is contained in:
Austin Songer
2021-11-29 06:16:00 -06:00
committed by github-actions[bot]
parent c49501c4cc
commit 423145dae7
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml
+47
View File
@@ -0,0 +1,47 @@
[metadata]
creation_date = "2021/10/18"
maturity = "production"
updated_date = "2021/11/22"
integration = "azure"
[rule]
author = ["Austin Songer"]
description = """
Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create
bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges
roles.
"""
from = "now-20m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Kubernetes Rolebindings Created"
note = """## Config
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
]
risk_score = 21
rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
severity = "low"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"