A Kubernetes user was assigned cluster administrator permissions

kubernetes

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitors when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

  1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
  2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
  3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

  • 20 September 2022 - Updated tags.
  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.