Terrance DeJesus
cabf1c2a02
* Tuning azure and m365 rule names and file paths * addressing unit test failures * addressing unit test failures * Changed Frontdoor to Front Door * removed extra space in name * adjusted Microsoft 365 to M365 in rule name * Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml * Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml * Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml * Update rules/integrations/azure/persistence_automation_account_created.toml * Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml * Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml * Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml * Update rules/integrations/azure/persistence_automation_webhook_created.toml * Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml * Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml * Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml * Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml * Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml * Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fixed additional rule names * Update rule dates and investigation guide headers - Set updated_date to 2025/12/10 for all modified rules - Fix investigation guide headers to match actual rule names - Ensures compliance with test_rule_change_has_updated_date - Ensures compliance with test_investigation_guide_uses_rule_name 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * changed kibana alert rule name to rule ID --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
112 lines
6.6 KiB
TOML
112 lines
6.6 KiB
TOML
[metadata]
|
|
creation_date = "2021/10/18"
|
|
integration = ["azure"]
|
|
maturity = "production"
|
|
updated_date = "2025/12/10"
|
|
|
|
[rule]
|
|
author = ["Austin Songer"]
|
|
description = """
|
|
Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
|
|
(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
|
|
create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
|
|
high privileges roles.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-azure.activitylogs-*", "filebeat-*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
|
|
Azure Kubernetes role bindings are crucial for managing access control within Kubernetes clusters, allowing specific permissions to be assigned to users, groups, or service accounts. Adversaries with the ability to create these bindings can escalate privileges by assigning themselves or others high-level roles, such as cluster-admin. The detection rule monitors Azure activity logs for successful creation events of role or cluster role bindings, signaling potential unauthorized privilege escalation attempts.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the Azure activity logs to identify the user or service account associated with the role binding creation event. Focus on the `event.dataset` and `azure.activitylogs.operation_name` fields to confirm the specific operation.
|
|
- Check the `event.outcome` field to ensure the operation was successful and not a failed attempt, which might indicate a misconfiguration or testing.
|
|
- Investigate the permissions and roles assigned to the identified user or service account to determine if they have legitimate reasons to create role bindings or cluster role bindings.
|
|
- Examine the context of the role binding creation, such as the time of the event and any related activities, to identify any unusual patterns or correlations with other suspicious activities.
|
|
- Verify if the role binding grants elevated privileges, such as cluster-admin, and assess the potential impact on the cluster's security posture.
|
|
- Cross-reference the event with any recent changes in the cluster's configuration or access policies to understand if the role binding creation aligns with authorized administrative actions.
|
|
|
|
### False positive analysis
|
|
|
|
- Routine administrative tasks may trigger alerts when legitimate users create role bindings for operational purposes. To manage this, identify and whitelist specific user accounts or service accounts that regularly perform these tasks.
|
|
- Automated deployment tools or scripts that configure Kubernetes clusters might create role bindings as part of their normal operation. Exclude these tools by filtering out known service accounts or IP addresses associated with these automated processes.
|
|
- Scheduled maintenance or updates to the Kubernetes environment can result in multiple role binding creation events. Establish a maintenance window and suppress alerts during this period to avoid unnecessary noise.
|
|
- Development and testing environments often have frequent role binding changes. Consider creating separate monitoring rules with adjusted thresholds or risk scores for these environments to reduce false positives.
|
|
- Collaboration with the DevOps team can help identify expected role binding changes, allowing for preemptive exclusion of these events from triggering alerts.
|
|
|
|
### Response and remediation
|
|
|
|
- Immediately revoke any newly created role bindings or cluster role bindings that are unauthorized or suspicious to prevent further privilege escalation.
|
|
- Isolate the affected Kubernetes cluster from the network to prevent potential lateral movement or further exploitation by the adversary.
|
|
- Conduct a thorough review of recent activity logs to identify any unauthorized access or changes made by the adversary, focusing on the time frame around the alert.
|
|
- Reset credentials and access tokens for any compromised accounts or service accounts involved in the unauthorized role binding creation.
|
|
- Escalate the incident to the security operations team for further investigation and to determine if additional clusters or resources are affected.
|
|
- Implement additional monitoring and alerting for any future role binding or cluster role binding creation events to ensure rapid detection and response.
|
|
- Review and tighten role-based access control (RBAC) policies to ensure that only necessary permissions are granted to users, groups, and service accounts, minimizing the risk of privilege escalation.
|
|
|
|
## Setup
|
|
|
|
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
|
references = [
|
|
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
|
|
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Cloud",
|
|
"Data Source: Azure",
|
|
"Use Case: Identity and Access Audit",
|
|
"Tactic: Privilege Escalation",
|
|
"Resources: Investigation Guide",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
|
|
("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
|
|
"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
|
|
event.outcome:(Success or success)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1078.004"
|
|
name = "Cloud Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/004/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1098"
|
|
name = "Account Manipulation"
|
|
reference = "https://attack.mitre.org/techniques/T1098/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|