diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index f1bed1802..c66cef56a 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -121,7 +121,7 @@ "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword", "kubernetes.audit.userAgent": "keyword", "kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name": "keyword", - "kubernetes.audit.user.groups": "text", + "kubernetes.audit.user.groups": "keyword", "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean", "kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean", "kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long", diff --git a/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml new file mode 100644 index 000000000..9b973150e --- /dev/null +++ b/rules/integrations/kubernetes/persistence_cluster_admin_rolebinding_created.toml @@ -0,0 +1,74 @@ +[metadata] +creation_date = "2026/02/04" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/02/04" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation of a RoleBinding or ClusterRoleBinding that grants the cluster-admin +ClusterRole, which provides unrestricted access to all Kubernetes resources and represents a +high-risk privilege escalation or misconfiguration. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Cluster-Admin Role Binding Created" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control", +] +risk_score = 47 +rule_id = "a2951930-dd35-438c-b10e-1bbdc5881cb4" +severity = "medium" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +event.dataset: "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:("clusterrolebindings" or "rolebindings") and +kubernetes.audit.verb:"create" and kubernetes.audit.requestObject.roleRef.name:"cluster-admin" and +kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +kubernetes.audit.level:"RequestResponse" and kubernetes.audit.stage:"ResponseComplete" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml new file mode 100644 index 000000000..b1e2020f3 --- /dev/null +++ b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml @@ -0,0 +1,94 @@ +[metadata] +creation_date = "2026/02/04" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/02/04" + +[rule] +author = ["Elastic"] +description = """ +Detects the creation or modification of Kubernetes Roles or ClusterRoles that grant high-risk permissions, +such as wildcard access or RBAC escalation verbs (e.g., bind, escalate, impersonate), which may enable +privilege escalation or unauthorized access within the cluster. +""" +language = "esql" +license = "Elastic License v2" +name = "Kubernetes Creation or Modification of Sensitive Role" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control", +] +risk_score = 47 +rule_id = "0fb25791-d8d4-42ab-8fc7-4954642de85f" +severity = "medium" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", +] +timestamp_override = "event.ingested" +type = "esql" +query = ''' +FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version +| WHERE + kubernetes.audit.objectRef.resource in ("roles", "clusterroles") and + kubernetes.audit.verb in ("create", "update", "patch") and + `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and + kubernetes.audit.level == "RequestResponse" and kubernetes.audit.stage == "ResponseComplete" and + KQL("""kubernetes.audit.requestObject.rules.verbs:("*" or "escalate" or "bind" or "impersonate") or kubernetes.audit.requestObject.rules.resources:("clusterroles" or "clusterrolebindings" or "roles" or "rolebindings")""") +| KEEP + @timestamp, + data_stream.namespace, + `kubernetes.audit.annotations.authorization_k8s_io/decision`, + kubernetes.audit.level, + kubernetes.audit.objectRef.name, + kubernetes.audit.objectRef.resource, + kubernetes.audit.requestURI, + kubernetes.audit.responseStatus.code, + kubernetes.audit.sourceIPs, + kubernetes.audit.stage, + kubernetes.audit.user.groups, + kubernetes.audit.user.username, + kubernetes.audit.userAgent, + kubernetes.audit.verb, + _id, + _index, + _version +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml new file mode 100644 index 000000000..abaa01a9d --- /dev/null +++ b/rules/integrations/kubernetes/persistence_service_account_bound_to_clusterrole.toml @@ -0,0 +1,72 @@ +[metadata] +creation_date = "2026/02/04" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/02/04" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation of RoleBindings or ClusterRoleBindings that reference a ServiceAccount, +which may indicate privilege delegation or potential RBAC misconfiguration leading to elevated access. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control", +] +risk_score = 47 +rule_id = "fd00769d-b18d-450a-a844-7a9f9c71995e" +severity = "medium" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +event.dataset: "kubernetes.audit_logs" and kubernetes.audit.requestObject.spec.serviceAccountName:* and +kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("rolebindings" or "clusterrolebindings") and +kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml new file mode 100644 index 000000000..25c7e44d9 --- /dev/null +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -0,0 +1,84 @@ +[metadata] +creation_date = "2026/02/04" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/02/04" + +[rule] +author = ["Elastic"] +description = """ +Detects a sequence where a principal creates or modifies a Role/ClusterRole to include high-risk permissions +(e.g., wildcard access or escalation verbs) and then creates or patches a workload resource (DaemonSet, +Deployment, or CronJob) shortly after, which may indicate RBAC-based privilege escalation followed by payload +deployment. This pattern is often used by adversaries to gain unauthorized access to sensitive resources and +deploy malicious payloads. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "eql" +license = "Elastic License v2" +name = "Kubernetes Sensitive RBAC Change Followed by Workload Modification" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control", +] +risk_score = 47 +rule_id = "3c82bf84-5941-495b-ac41-0302f28e1a90" +severity = "medium" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence by user.name with maxspan=5m + [any where event.dataset == "kubernetes.audit_logs" and + `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and + kubernetes.audit.objectRef.resource in ("roles", "clusterroles") and + kubernetes.audit.verb in ("create", "update", "patch")] + [any where event.dataset == "kubernetes.audit_logs" and + `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and + kubernetes.audit.objectRef.resource in ("daemonsets", "deployments", "cronjobs") and + kubernetes.audit.verb in ("create", "patch") and + /* reduce control-plane / bootstrap noise */ + not kubernetes.audit.user.groups == "system:masters" + ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml new file mode 100644 index 000000000..84e97aee9 --- /dev/null +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -0,0 +1,80 @@ +[metadata] +creation_date = "2026/02/04" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/02/04" + +[rule] +author = ["Elastic"] +description = """ +Detects write operations performed by Kubernetes service accounts against RBAC resources (Roles, +ClusterRoles, RoleBindings, ClusterRoleBindings). Service accounts typically do not manage RBAC +directly; this activity may indicate token abuse, misconfigured permissions, or unauthorized +privilege escalation. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Service Account Modified RBAC Objects" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control", +] +risk_score = 47 +rule_id = "f2e21713-1eac-4908-a782-1b49c7e9d53b" +severity = "medium" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +event.dataset:"kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +kubernetes.audit.user.username:( + system\:serviceaccount\:* and not ( + "system:serviceaccount:kube-system:clusterrole-aggregation-controller" or + "system:serviceaccount:kube-system:generic-garbage-collector" + ) +) and +kubernetes.audit.objectRef.resource:("clusterrolebindings" or "clusterroles" or "rolebindings" or "roles") and +kubernetes.audit.verb:("create" or "delete" or "patch" or "update") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"