Kubernetes Suspicious Self-Subject Reviewedit
This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.
Rule type: query
Rule indices:
- logs-kubernetes.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms
- https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340
Tags:
- Elastic
- Kubernetes
- Continuous Monitoring
- Discovery
Version: 200 (version history)
Added (Elastic Stack release): 8.4.0
Last modified (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
An administrator may submit this request as an "impersonatedUser" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account.
Investigation guideedit
Rule queryedit
event.dataset : "kubernetes.audit_logs" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
and kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or
"selfsubjectrulesreviews") and
(kubernetes.audit.user.username:(system\:serviceaccount\:* or
system\:node\:*) or
kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:*
or system\:node\:*))
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Container and Resource Discovery
- ID: T1613
- Reference URL: https://attack.mitre.org/techniques/T1613/
Rule version historyedit
- Version 200 (8.6.0 release)
-
-
Updated query, changed from:
kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)
-
- Version 100 (8.5.0 release)
-
-
Updated query, changed from:
kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)
-