EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Kubernetes Admission Controller Modification

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

MITRE ATT&CK

T1078T1552T1552.007
privilege-escalationinitial-accessdefense-evasionpersistencecredential-access

Detection Query

selection:
  objectRef.apiGroup: admissionregistration.k8s.io
  objectRef.resource:
    - mutatingwebhookconfigurations
    - validatingwebhookconfigurations
  verb:
    - create
    - delete
    - patch
    - replace
    - update
condition: selection

Author

kelnage

Created

2024-07-11

Data Sources

kubernetesaudit

Platforms

kubernetes

References

Tags

attack.privilege-escalationattack.initial-accessattack.defense-evasionattack.persistenceattack.t1078attack.credential-accessattack.t1552attack.t1552.007
Raw Content
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
    - id: 6ad91e31-53df-4826-bd27-0166171c8040
      type: similar
status: test
description: |
    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.defense-evasion
    - attack.persistence
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'admissionregistration.k8s.io'
        objectRef.resource:
            - 'mutatingwebhookconfigurations'
            - 'validatingwebhookconfigurations'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium