EXPLORE
← Back to Explore
elasticmediumTTP

GKE Admission Webhook Created or Modified

Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.

MITRE ATT&CK

persistencedefense-evasion

Detection Query

data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
) and not user.email:(
  "system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
  system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
  *-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
)

Author

Elastic

Created

2026/06/30

Data Sources

GCPGoogle Cloud Platformlogs-gcp.audit-*

Tags

Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/30"
integration = ["gcp"]
maturity = "production"
updated_date = "2026/06/30"

[rule]
author = ["Elastic"]
description = """
Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities.
Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense
evasion.
"""
false_positives = [
    """
    GitOps and platform controllers (cert-manager, Gatekeeper, Kyverno, service mesh) legitimately manage webhooks.
    Validate change tickets and controller identities before tuning.
    """,
]
from = "now-9m"
index = ["logs-gcp.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "GKE Admission Webhook Created or Modified"
note = """## Triage and analysis

### Investigating GKE Admission Webhook Created or Modified

Review webhook name, actor, and clientConfig destination in `gcp.audit.request`.

### Investigation steps

- Confirm `user.email`, `event.action`, and webhook resource name.
- Inspect webhook URL or in-cluster service target for external endpoints.
- Hunt for pod mutations or blocked security deployments after the change.

### False positives

- Approved controller upgrades during change windows.

## Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
references = [
    "https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/",
]
risk_score = 47
rule_id = "4886ce11-fca5-433f-bbb9-e33e410ef9ae"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: Kubernetes",
    "Data Source: GCP",
    "Data Source: Google Cloud Platform",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Tactic: Defense Evasion",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
) and not user.email:(
  "system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
  system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
  *-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"