k8s-audit-service-account-access-denied Scenario

« k8s-audit-service-account-access-denied »
v0.4 by crowdsecurity
Attack scenarioservice:k8sspoofable:0MITRE:T1078MITRE:T1069confidence:3

Detect unauthorized requests from service accounts

Installation

cscli scenarios install crowdsecurity/k8s-audit-service-account-access-denied

Description

Detects service accounts making forbidden requests to the K8S API.

Only attempts done on resources that are logged at least at the Metadata level will be recorded.

No decision will be taken based on this scenario, it is only intended for notification purposes.

YAML Configuration

1type: trigger
2name: crowdsecurity/k8s-audit-service-account-access-denied
3description: "Detect unauthorized requests from service accounts"
4filter: |
5  evt.Meta.log_type == 'k8s-audit' &&
6  evt.Meta.user startsWith "system:serviceaccount:" &&
7  (
8   (evt.Meta.datasource_type == "k8s-audit" && evt.Unmarshaled.k8s_audit.Annotations["authorization.k8s.io/decision"] == "forbid")
9   ||
10   (evt.Meta.datasource_type != "k8s-audit" && evt.Unmarshaled.k8s_audit.annotations["authorization.k8s.io/decision"] == "forbid")
11  )
12labels:
13  notification: true
14  classification:
15    - attack.T1078
16    - attack.T1069
17  behavior: "k8s:scan"
18  label: "Kubernetes Service Account Denied Request"
19  spoofable: 0
20  confidence: 3
21  service: k8s
22

Hub configuration

« k8s-audit-service-account-access-denied »v0.4 by crowdsecurityAttack scenarioservice:k8sspoofable:0MITRE:T1078MITRE:T1069confidence:3

« k8s-audit-service-account-access-denied »
v0.4 by crowdsecurity
Attack scenarioservice:k8sspoofable:0MITRE:T1078MITRE:T1069confidence:3