Kubernetes Admission Controller Modification

Rule Info

Name
Kubernetes Admission Controller Modification
Author
kelnage
Description
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Reference
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
Date
2024-07-11 00:00:00
Modified
None
Id
eed82177-38f5-4299-8a76-098d50d225ab
Tags
attack.persistence attack.t1078 attack.credential-access attack.t1552 attack.t1552.007 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=eed82177-38f5-4299-8a76-098d50d225ab

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nick Moore
Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format
2024-07-11
97034d23b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022