[New Rules] Misc. K8s RBAC Abuse Rules (#5673)
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword * [New Rules] Misc. K8s RBAC Abuse Rules * -- * Update non-ecs-schema * Update to make unit tests happy * Mitre mapping updates * Fix query logic for service account role bindings * Fix formatting in persistence_service_account_bound_to_clusterrole rule
This commit is contained in:
Ruben Groenewoud
@@ -121,7 +121,7 @@
|
||||
"kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
|
||||
"kubernetes.audit.userAgent": "keyword",
|
||||
"kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name": "keyword",
|
||||
"kubernetes.audit.user.groups": "text",
|
||||
"kubernetes.audit.user.groups": "keyword",
|
||||
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
|
||||
"kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
|
||||
"kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
|
||||
|
||||
@@ -0,0 +1,74 @@
|
||||
[metadata]
|
||||
creation_date = "2026/02/04"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule detects the creation of a RoleBinding or ClusterRoleBinding that grants the cluster-admin
|
||||
ClusterRole, which provides unrestricted access to all Kubernetes resources and represents a
|
||||
high-risk privilege escalation or misconfiguration.
|
||||
"""
|
||||
index = ["logs-kubernetes.audit_logs-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Kubernetes Cluster-Admin Role Binding Created"
|
||||
references = [
|
||||
"https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "a2951930-dd35-438c-b10e-1bbdc5881cb4"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Data Source: Kubernetes",
|
||||
"Domain: Kubernetes",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Tactic: Privilege Escalation",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
query = '''
|
||||
event.dataset: "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:("clusterrolebindings" or "rolebindings") and
|
||||
kubernetes.audit.verb:"create" and kubernetes.audit.requestObject.roleRef.name:"cluster-admin" and
|
||||
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
|
||||
kubernetes.audit.level:"RequestResponse" and kubernetes.audit.stage:"ResponseComplete"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
+94
@@ -0,0 +1,94 @@
|
||||
[metadata]
|
||||
creation_date = "2026/02/04"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects the creation or modification of Kubernetes Roles or ClusterRoles that grant high-risk permissions,
|
||||
such as wildcard access or RBAC escalation verbs (e.g., bind, escalate, impersonate), which may enable
|
||||
privilege escalation or unauthorized access within the cluster.
|
||||
"""
|
||||
language = "esql"
|
||||
license = "Elastic License v2"
|
||||
name = "Kubernetes Creation or Modification of Sensitive Role"
|
||||
references = [
|
||||
"https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "0fb25791-d8d4-42ab-8fc7-4954642de85f"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Data Source: Kubernetes",
|
||||
"Domain: Kubernetes",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Tactic: Privilege Escalation",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "esql"
|
||||
query = '''
|
||||
FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
|
||||
| WHERE
|
||||
kubernetes.audit.objectRef.resource in ("roles", "clusterroles") and
|
||||
kubernetes.audit.verb in ("create", "update", "patch") and
|
||||
`kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and
|
||||
kubernetes.audit.level == "RequestResponse" and kubernetes.audit.stage == "ResponseComplete" and
|
||||
KQL("""kubernetes.audit.requestObject.rules.verbs:("*" or "escalate" or "bind" or "impersonate") or kubernetes.audit.requestObject.rules.resources:("clusterroles" or "clusterrolebindings" or "roles" or "rolebindings")""")
|
||||
| KEEP
|
||||
@timestamp,
|
||||
data_stream.namespace,
|
||||
`kubernetes.audit.annotations.authorization_k8s_io/decision`,
|
||||
kubernetes.audit.level,
|
||||
kubernetes.audit.objectRef.name,
|
||||
kubernetes.audit.objectRef.resource,
|
||||
kubernetes.audit.requestURI,
|
||||
kubernetes.audit.responseStatus.code,
|
||||
kubernetes.audit.sourceIPs,
|
||||
kubernetes.audit.stage,
|
||||
kubernetes.audit.user.groups,
|
||||
kubernetes.audit.user.username,
|
||||
kubernetes.audit.userAgent,
|
||||
kubernetes.audit.verb,
|
||||
_id,
|
||||
_index,
|
||||
_version
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
@@ -0,0 +1,72 @@
|
||||
[metadata]
|
||||
creation_date = "2026/02/04"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule detects the creation of RoleBindings or ClusterRoleBindings that reference a ServiceAccount,
|
||||
which may indicate privilege delegation or potential RBAC misconfiguration leading to elevated access.
|
||||
"""
|
||||
index = ["logs-kubernetes.audit_logs-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount"
|
||||
references = [
|
||||
"https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "fd00769d-b18d-450a-a844-7a9f9c71995e"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Data Source: Kubernetes",
|
||||
"Domain: Kubernetes",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Tactic: Privilege Escalation",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
query = '''
|
||||
event.dataset: "kubernetes.audit_logs" and kubernetes.audit.requestObject.spec.serviceAccountName:* and
|
||||
kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("rolebindings" or "clusterrolebindings") and
|
||||
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
+84
@@ -0,0 +1,84 @@
|
||||
[metadata]
|
||||
creation_date = "2026/02/04"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects a sequence where a principal creates or modifies a Role/ClusterRole to include high-risk permissions
|
||||
(e.g., wildcard access or escalation verbs) and then creates or patches a workload resource (DaemonSet,
|
||||
Deployment, or CronJob) shortly after, which may indicate RBAC-based privilege escalation followed by payload
|
||||
deployment. This pattern is often used by adversaries to gain unauthorized access to sensitive resources and
|
||||
deploy malicious payloads.
|
||||
"""
|
||||
index = ["logs-kubernetes.audit_logs-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Kubernetes Sensitive RBAC Change Followed by Workload Modification"
|
||||
references = [
|
||||
"https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "3c82bf84-5941-495b-ac41-0302f28e1a90"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Data Source: Kubernetes",
|
||||
"Domain: Kubernetes",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Privilege Escalation",
|
||||
"Tactic: Persistence",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by user.name with maxspan=5m
|
||||
[any where event.dataset == "kubernetes.audit_logs" and
|
||||
`kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and
|
||||
kubernetes.audit.objectRef.resource in ("roles", "clusterroles") and
|
||||
kubernetes.audit.verb in ("create", "update", "patch")]
|
||||
[any where event.dataset == "kubernetes.audit_logs" and
|
||||
`kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and
|
||||
kubernetes.audit.objectRef.resource in ("daemonsets", "deployments", "cronjobs") and
|
||||
kubernetes.audit.verb in ("create", "patch") and
|
||||
/* reduce control-plane / bootstrap noise */
|
||||
not kubernetes.audit.user.groups == "system:masters"
|
||||
]
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
+80
@@ -0,0 +1,80 @@
|
||||
[metadata]
|
||||
creation_date = "2026/02/04"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2026/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects write operations performed by Kubernetes service accounts against RBAC resources (Roles,
|
||||
ClusterRoles, RoleBindings, ClusterRoleBindings). Service accounts typically do not manage RBAC
|
||||
directly; this activity may indicate token abuse, misconfigured permissions, or unauthorized
|
||||
privilege escalation.
|
||||
"""
|
||||
index = ["logs-kubernetes.audit_logs-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Kubernetes Service Account Modified RBAC Objects"
|
||||
references = [
|
||||
"https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "f2e21713-1eac-4908-a782-1b49c7e9d53b"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Data Source: Kubernetes",
|
||||
"Domain: Kubernetes",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Privilege Escalation",
|
||||
"Tactic: Persistence",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
query = '''
|
||||
event.dataset:"kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
|
||||
kubernetes.audit.user.username:(
|
||||
system\:serviceaccount\:* and not (
|
||||
"system:serviceaccount:kube-system:clusterrole-aggregation-controller" or
|
||||
"system:serviceaccount:kube-system:generic-garbage-collector"
|
||||
)
|
||||
) and
|
||||
kubernetes.audit.objectRef.resource:("clusterrolebindings" or "clusterroles" or "rolebindings" or "roles") and
|
||||
kubernetes.audit.verb:("create" or "delete" or "patch" or "update")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1098"
|
||||
name = "Account Manipulation"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1098.006"
|
||||
name = "Additional Container Cluster Roles"
|
||||
reference = "https://attack.mitre.org/techniques/T1098/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
Reference in New Issue
Block a user