Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
The creation of role binding or cluster role bindings in Azure Kubernetes Services (AKS) can indicate privilege escalation by an adversary creating a binding to the cluster-admin ClusterRole or other high-privilege roles.
This detection rule identifies the creation of role binding or cluster role bindings in Azure Kubernetes Services (AKS) by monitoring Azure activity logs for successful creation events. These role bindings assign roles to Kubernetes subjects, like users, groups, or service accounts. An attacker who has permissions to create bindings and cluster-bindings can escalate privileges by creating a binding to the cluster-admin ClusterRole or other high privileges roles. This activity is logged within Azure and can be detected using the Azure Activity Logs. This activity can lead to complete control of the Kubernetes cluster and its resources if a cluster-admin role is bound to a malicious actor.
Attack Chain
- The attacker gains initial access to an Azure account with sufficient permissions to interact with AKS and create role bindings.
- The attacker enumerates available roles and cluster roles within the AKS cluster.
- The attacker identifies high-privilege roles, such as
cluster-admin, which would grant extensive control over the cluster. - The attacker creates a new RoleBinding or ClusterRoleBinding, associating the target user/group/service account with the high-privilege role. The Azure activity logs capture this event.
- The attacker validates the successful creation of the role binding.
- The attacker (or the user/group/service account targeted) leverages the newly granted privileges to perform unauthorized actions within the AKS cluster.
- The attacker maintains persistence by using the Valid Account (T1078) to access the cluster.
Impact
Successful exploitation leads to privilege escalation within the AKS cluster, allowing the attacker to perform actions beyond their intended authorization. This can lead to unauthorized access to sensitive data, modification or deletion of critical resources, and potential compromise of the entire Kubernetes environment. While specific victim counts aren't available, the impact is significant for organizations relying on AKS for containerized applications.
Recommendation
- Deploy the Sigma rule
Detect AKS Role Binding Creationto detect the creation of role bindings in your AKS environment by monitoring Azure Activity Logs. - Review and tighten Role-Based Access Control (RBAC) policies to ensure that only necessary permissions are granted (reference: description).
- Investigate any detected role binding creations to validate their legitimacy and identify potential unauthorized privilege escalation attempts (reference: description).
- Monitor
event.outcometo ensure the operation was successful and not a failed attempt, which might indicate a misconfiguration or testing (reference: description).
Detection coverage 2
Detect AKS Role Binding Creation
lowDetects the creation of Kubernetes RoleBindings or ClusterRoleBindings in Azure Kubernetes Service (AKS) by monitoring Azure Activity Logs.
Detect Valid Accounts used to create AKS Role Bindings
mediumDetects the use of valid accounts to create Kubernetes RoleBindings or ClusterRoleBindings in Azure Kubernetes Service (AKS) which is a potential sign of misuse of the account
Detection queries are available on the platform. Get full rules →