k8s-audit-anonymous-access Configuration

« k8s-audit-anonymous-access »
v0.4 by crowdsecurity
Attack scenarioservice:k8sspoofable:0MITRE:T1595confidence:3

Detect allowed anonymous access to the K8S API

Installation

cscli scenarios install crowdsecurity/k8s-audit-anonymous-access

Description

Detects anonymous access to the K8S API, using the cluster audit logs.

Only attempts done on resources that are logged at least at the Metadata level will be recorded.

Access to healthz, livez and readyz are ignored.

No decision will be taken based on this scenario, it is only intended for notification purposes.

YAML Configuration

1type: trigger
2name: crowdsecurity/k8s-audit-anonymous-access
3description: "Detect allowed anonymous access to the K8S API"
4filter: |
5   evt.Meta.log_type == 'k8s-audit' &&
6   (
7    (evt.Meta.datasource_type == "k8s-audit" && evt.Unmarshaled.k8s_audit.ObjectRef?.Resource not in ["healthz", "livez", "readyz"]) 
8    || 
9    (evt.Meta.datasource_type != "k8s-audit" && evt.Unmarshaled.k8s_audit.objectRef?.resource not in ["healthz", "livez", "readyz"])
10   )
11   && evt.Meta.user in ["system:anonymous", "system:unauthenticated"]
12labels:
13   notification: true
14   classification:
15      - attack.T1595
16   behavior: "k8s:scan"
17   label: "Kubernetes API anonymous access"
18   spoofable: 0
19   service: k8s
20   confidence: 3
21

Hub configuration

« k8s-audit-anonymous-access »v0.4 by crowdsecurityAttack scenarioservice:k8sspoofable:0MITRE:T1595confidence:3

« k8s-audit-anonymous-access »
v0.4 by crowdsecurity
Attack scenarioservice:k8sspoofable:0MITRE:T1595confidence:3