Skip to content
Threat Feed
medium advisory

Kubernetes Scanning by Unauthenticated IP Address

Detects potential scanning activities within a Kubernetes environment by identifying multiple unauthorized access attempts (HTTP 403 responses) from unauthenticated IP addresses in Kubernetes audit logs, potentially indicating vulnerability probing or exploitation attempts.

This analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues within the Kubernetes infrastructure. Successful scanning may allow attackers to identify exposed services, misconfigurations, or vulnerabilities that can be further exploited to gain unauthorized access, escalate privileges, or disrupt services. The detection focuses on identifying patterns indicative of automated scanning rather than legitimate user activity.

Attack Chain

  1. Attacker identifies a Kubernetes cluster as a potential target.
  2. Attacker attempts to access various Kubernetes API endpoints without proper authentication, resulting in HTTP 403 errors.
  3. Kubernetes API server logs the unauthorized access attempts in the audit logs, including the source IP address, requested URI, and response code.
  4. The detection analytic monitors Kubernetes audit logs for multiple 403 errors originating from the same unauthenticated IP address.
  5. The analytic aggregates access attempts by source IP, country, and city, counting the number of 403 responses.
  6. If the count of 403 responses from a single IP exceeds a threshold (e.g., 5), the IP is flagged as potentially engaged in scanning.
  7. Security team investigates the flagged IP to determine the legitimacy of the activity.
  8. If the activity is confirmed as malicious scanning, appropriate actions are taken to block the IP and further investigate any potential vulnerabilities.

Impact

Unsuccessful exploitation attempts may precede successful ones. Kubernetes scanning activity often represents reconnaissance efforts to identify exploitable entry points. If successful, attackers may gain unauthorized access to sensitive data, escalate privileges, or disrupt critical services running within the Kubernetes cluster. This activity can lead to data breaches, service outages, and reputational damage.

Recommendation

  • Enable Kubernetes audit logging to capture API server requests, which is essential for this detection to function.
  • Deploy the provided Sigma rule to your SIEM and tune the threshold (count > 5) based on your environment's baseline.
  • Use the kube_audit macro to standardize your Kubernetes audit log data source for use with the Sigma rule.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the scanning activity and take appropriate remediation steps.

Detection coverage 2

Kubernetes Unauthenticated Scanning Activity

medium

Detects potential scanning activities within a Kubernetes environment by unauthenticated IP addresses based on HTTP 403 responses.

sigma tactics: discovery techniques: T1046 sources: webserver, linux

Kubernetes Excessive 403 Errors from Single IP

medium

Detects a single IP address generating an excessive number of 403 errors within a short timeframe in Kubernetes audit logs, indicating potential scanning activity.

sigma tactics: discovery techniques: T1046 sources: webserver, linux

Detection queries are available on the platform. Get full rules →