Classification:

attack

Tactic:

TA0004-privilege-escalation

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the kubernetes integration.

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitors when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

• 20 September 2022 - Updated tags.
• 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.