security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
963d01ba89dbebf8e2ed0f3d9f954c308c192908
sigma-rules/rules
T
History
Isai 963d01ba89 [New Rule] Kubernetes Suspicious Assignment of Controller Service Account (#2298) 
* [New Rule] Kubernetes Suspicious Assignment of Controller Service Account

Issues
--
#2034

Summary
--
This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.

* Update privilege_escalation_suspicious_assignment_of_controller_service_account.toml

updated query after testing

* Update non-ecs-schema.json

added new field used in query update

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2022-09-19 13:35:37 -04:00
..
_deprecated
[Deprecate Rule] Suspicious Process from Conhost (#2222)
2022-08-16 16:32:24 +02:00
apm
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
cross-platform
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
integrations
[New Rule] Kubernetes Suspicious Assignment of Controller Service Account (#2298)
2022-09-19 13:35:37 -04:00
linux
Linux rule to detect potential ssh brute force attack (#2291)
2022-09-19 20:26:18 +05:30
macos
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
ml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
network
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
promotions
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
windows
[New Rule] Multiple Vault Web credentials were read (#2281)
2022-09-19 19:07:05 +02:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink