A Kubernetes user was assigned cluster administrator permissions

Classification:

attack

Tactic:

TA0004-privilege-escalation

Set up the kubernetes integration.

Goal

Identify when a Kubernetes user is assigned cluster-level administrative permissions.

Strategy

This rule monitors when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin default cluster-wide role. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Triage and response

1. Determine if the Kubernetes user referenced in @requestObject.subjects is expected to have been granted administrator permissions on the cluster
2. Determine if the actor (@usr.id) is authorized to assign administrator permissions
3. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

20 September 2022 - Updated tags.