Kubernetes Admission Webhook Created or Modified

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Kubernetes Admission Webhook Created or Modified

Detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities. Admission webhooks intercept every API request matching their rules before persistence, giving an attacker powerful capabilities: injecting malicious sidecars into every new pod via a mutating webhook, blocking security tooling deployments via a validating webhook, or silently exfiltrating pod specifications to an external server. Webhook manipulation is a stealthy persistence and defense evasion technique because the webhook configuration itself looks benign in kubectl output while actively modifying or intercepting all matching Kubernetes API traffic.

Rule type: query

Rule indices:

logs-kubernetes.audit_logs-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Data Source: Kubernetes
Domain: Kubernetes
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Kubernetes Admission Webhook Created or Modified

Admission webhooks can mutate or validate resources before they are persisted. A malicious webhook can inject sidecars, alter securityContext, block defensive workloads, or exfiltrate pod specs. This rule alerts on allowed changes to MutatingWebhookConfiguration and ValidatingWebhookConfiguration objects by identities outside common system patterns.

Possible investigation steps

Confirm the webhook resource and operation:
kubernetes.audit.objectRef.resource and kubernetes.audit.verb
kubernetes.audit.objectRef.name (the webhook configuration name)
Attribute the actor and access path:
user.name (human vs service account vs node identity)
source.ip and user_agent.original
In cloud-managed clusters, map the identity to IAM/Entra principal data present in kubernetes.audit.user.extra.*.
Extract the webhook destination and review for external exfiltration:
kubernetes.audit.requestObject.webhooks.clientConfig.url (suspicious when pointing to the public internet)
kubernetes.audit.requestObject.webhooks.clientConfig.service.* (in-cluster service; still validate namespace/name)
Review impact-driving webhook settings:
failurePolicy (e.g., Ignore can make malicious webhooks stealthier by avoiding obvious outages)
namespaceSelector / objectSelector targeting (e.g., excluding kube-system while targeting everything else)
rules.operations and rules.resources (e.g., CREATE pods is consistent with broad sidecar injection)
sideEffects, timeoutSeconds, matchPolicy, reinvocationPolicy
Scope blast radius and follow-on activity:
Hunt for pods created/updated after the webhook change that include unexpected containers, initContainers, env vars, volume mounts, or securityContext changes.
Check for concurrent RBAC changes, token creation, or secret access from the same identity and source IP.

False positive analysis

GitOps upgrades or controller installs can legitimately change admission webhooks. Validate the change against:
approved Helm/Git commits, change tickets, and expected controller namespaces
known controller identities (cert-manager, Gatekeeper, Kyverno, service mesh controllers)

Response and remediation

If unauthorized, revert or delete the webhook configuration from a known-good source (GitOps/Helm), then block the actor identity and rotate any credentials it used.
If the webhook targeted pod creation, assume workload impact: identify affected namespaces/workloads, redeploy from trusted manifests/images, and validate that new pods are no longer being mutated.
If an external clientConfig.url was used, treat it as potential data exfiltration and review egress/DNS logs for the destination around the alert window.

Rule query

edit

kubernetes.audit.objectRef.resource:("mutatingwebhookconfigurations" or "validatingwebhookconfigurations") and
kubernetes.audit.verb:("create" or "update" or "patch" or "delete") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
user.name:(* and not
  (system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or aksService or masterclient or nodeclient or
  system\:serviceaccount\:gke-managed-system\:* or
  system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or
  system\:serviceaccount\:kyverno\:* or
  system\:serviceaccount\:*\:*-operator)
) and
kubernetes.audit.objectRef.name:(* and not (pod-identity-webhook or vpc-resource-mutating-webhook or eks-* or gke-*))

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/

« Kubernetes API Server Proxying Request to Kubelet Kubernetes Anonymous Request Authorized by Unusual User Agent »