security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Kubernetes Pod Created With HostNetwork (#2072)

Browse Source 
* [New Rule] Kubernetes Pod Created With HostNetwork

new rule toml for pod created with hostNetwork and added all k8s fields to non-ecs-schema json

* Update privilege_escalation_pod_created_with_hostnetwork.toml

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
Isai
2022-07-28 13:57:43 -04:00
committed by GitHub
parent f516241f1f
commit ecba0fc489
1 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
+61
View File
@@ -0,0 +1,61 @@
[metadata]
creation_date = "2022/07/05"
integration = "kubernetes"
maturity = "production"
min_stack_comments = "Necessary audit log fields not available prior to 8.2"
min_stack_version = "8.2"
updated_date = "2022/07/05"
[rule]
author = ["Elastic"]
description = """
This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use
the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker
could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies
applied to its given namespace.
"""
false_positives = [
"""
An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID
namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto
the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and
network namespaces from the host's perspective.
""",
]
index = ["logs-kubernetes.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Pod Created With HostNetwork"
note = """## Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
references = [
"https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
"https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces",
"https://bishopfox.com/blog/kubernetes-pod-privilege-escalation",
]
risk_score = 47
rule_id = "12cbf709-69e8-4055-94f9-24314385c27e"
severity = "medium"
tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
query = '''
kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostNetwork:true
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"