Kubernetes Multi-Resource Discovery Reconnaissance

After gaining initial access to a Kubernetes cluster, adversaries often conduct reconnaissance to understand the environment before further actions like exfiltration or privilege escalation. This involves mapping the cluster’s structure, identifying workloads, and understanding role-based access control (RBAC) configurations. This reconnaissance is achieved by rapidly querying various API resources, including namespaces, pods, roles, ClusterRoles, ConfigMaps, and ServiceAccounts. The activity is characterized by a burst of get and list requests across multiple resource types within a short timeframe, which is atypical for normal cluster operations and may indicate malicious probing or permission reconnaissance. This detection focuses on identifying such cross-resource bursts from a single client to distinguish reconnaissance activities from routine automation.

Attack Chain

1. The attacker gains initial access to the Kubernetes cluster using compromised credentials or by exploiting a vulnerability. (T1190, T1566)
2. The attacker authenticates to the Kubernetes API server using the compromised credentials or a valid service account token.
3. The attacker begins enumerating namespaces to understand the logical divisions within the cluster using kubectl get namespaces or equivalent API calls. (T1068)
4. The attacker queries pods within the discovered namespaces to identify running workloads and potential targets. (T1068)
5. The attacker lists roles and cluster roles to understand the existing RBAC configurations and identify potential privilege escalation opportunities. (T1069)
6. The attacker retrieves service accounts to identify applications and their associated permissions, potentially discovering more attack vectors.
7. The attacker analyzes the collected information to identify vulnerable services, misconfigured permissions, or sensitive data.
8. Based on the reconnaissance, the attacker proceeds with lateral movement, privilege escalation, data exfiltration, or other malicious objectives.

Impact

Successful reconnaissance allows attackers to gain a comprehensive understanding of the Kubernetes environment, facilitating further malicious activities such as lateral movement, privilege escalation, and data exfiltration. This can lead to the compromise of sensitive data, disruption of services, and unauthorized access to critical resources. The impact is magnified in clusters with weak RBAC policies or exposed sensitive information.

Recommendation

• Deploy the Sigma rule “Kubernetes Multi-Resource Discovery” to your SIEM and tune for your environment to detect reconnaissance activities.
• Investigate alerts generated by the Sigma rule by pivoting on user.name, source.ip, and user_agent.original to determine the sequence of API calls.
• Correlate the identified activity with RBAC configurations to identify potential violations of the principle of least privilege as described in the rule’s Triage and Analysis section.
• Baseline automation by allowlisting known service accounts or source networks that legitimately span multiple resource types in a short window, as described in the rule’s False Positive Analysis section.
• Review and tighten RBAC configurations to minimize the impact of compromised credentials as described in the Response and Remediation section.