sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Samirbous	83406d8ce1	[New/Tuning] Direct Kubelet API Access rules (#5996 ) * [New/Tuning] Direct Kubelet API Access rules - tuned existing rule for D4C to bump-up severity to high (low FP and very susp behavior) + added 10255 port and wss url. - duplicated same rule logic for auditd/endpoint compatibility for both 10250 port in args and kubeletctl exec. - added a new one using network event vs process argument for more resilience. * ++ * Update discovery_potential_direct_kubelet_access_via_process_args.toml * Update and rename discovery_potential_direct_kubelet_access_via_process_args.toml to lateral_movement_direct_kubelet_access_via_process_args.toml * Update rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/discovery_potential_kubeletctl_execution.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update discovery_potential_kubeletctl_execution.toml * Update lateral_movement_kubelet_api_connection_attempt_internal_ip.toml * Apply suggestion from @Aegrah Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Apply suggestion from @Aegrah Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2026-05-04 22:18:23 +01:00

Author

SHA1

Message

Date

Samirbous

83406d8ce1

[New/Tuning] Direct Kubelet API Access rules (#5996 )

* [New/Tuning] Direct Kubelet API Access rules

- tuned existing rule for D4C to bump-up severity to high (low FP and very susp behavior) + added 10255 port and wss url.
- duplicated same rule logic for auditd/endpoint compatibility for both 10250 port in args and kubeletctl exec.
- added a new one using network event vs process argument for more resilience.

* ++

* Update discovery_potential_direct_kubelet_access_via_process_args.toml

* Update and rename discovery_potential_direct_kubelet_access_via_process_args.toml to lateral_movement_direct_kubelet_access_via_process_args.toml

* Update rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/discovery_potential_kubeletctl_execution.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update discovery_potential_kubeletctl_execution.toml

* Update lateral_movement_kubelet_api_connection_attempt_internal_ip.toml

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

2026-05-04 22:18:23 +01:00

1 Commits