Azure Kubernetes Services (AKS) Kubernetes Pod Deletion
The deletion of Azure Kubernetes Pods can indicate malicious activity aimed at disrupting the environment's normal behavior.
This detection identifies the deletion of Azure Kubernetes Pods, which could indicate malicious activity. Adversaries might delete Kubernetes pods to disrupt services or evade detection. Successful pod deletion operations logged in Azure activity logs are monitored, alerting security teams to potential unauthorized actions impacting environment stability and security. The rule focuses on events logged with the operation name "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and a successful outcome. Defenders should be aware of unexpected or unauthorized pod deletions, as these actions can lead to service disruptions and potential data loss. This activity affects Azure Kubernetes Services (AKS) environments.
Attack Chain
- An attacker gains unauthorized access to the Azure environment, potentially through compromised credentials or exploiting a vulnerability.
- The attacker authenticates to the Azure API and identifies the target Kubernetes cluster and namespace.
- The attacker uses stolen credentials to make an authorized API call.
- The attacker issues a DELETE request targeting specific pods within the Kubernetes cluster, using the "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" operation.
- Azure processes the deletion request, and if authorized, removes the specified pods from the cluster.
- The event is logged in Azure Activity Logs with an "Success" outcome.
- Legitimate applications or services that rely on the deleted pods experience disruption or failure.
- The attacker achieves their objective, which may include disrupting services, causing data loss, or hindering incident response efforts.
Impact
Successful pod deletions can lead to service disruptions, application failures, and potential data loss within the Azure Kubernetes Services (AKS) environment. The severity depends on the criticality of the affected pods and the applications they support. A successful attack could impact the availability of customer-facing services, internal business processes, or critical infrastructure components. Undetected malicious pod deletions can also complicate incident response efforts and prolong the time it takes to restore normal operations.
Recommendation
- Deploy the Sigma rule
Azure Kubernetes Pod Deletionto your SIEM and tune for your environment to detect malicious or accidental pod deletions in your Azure environment. - Review Azure activity logs for events matching the
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETEoperation name to identify potential pod deletion incidents. - Implement stricter access controls and role-based access management to minimize the risk of unauthorized pod deletions.
- Integrate monitoring and alerting with a SIEM system to detect and respond to unauthorized pod deletions promptly (refer to the setup instructions in the overview).
Detection coverage 2
Azure Kubernetes Pod Deletion
mediumDetects deletion of Azure Kubernetes Pods, potentially indicating malicious activity.
Azure Kubernetes Pod Deletion Failed
lowDetects failed attempts to delete Azure Kubernetes Pods, potentially indicating reconnaissance or unauthorized access attempts.
Detection queries are available on the platform. Get full rules →