{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-kubernetes-service/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Kubernetes Service"],"_cs_severities":["medium"],"_cs_tags":["azure","kubernetes","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers targeting Azure Kubernetes Service (AKS) environments may attempt to remove event logs to cover their tracks and hinder forensic investigations. This activity, which involves deleting Kubernetes events, directly impairs a defender\u0026rsquo;s ability to detect malicious behavior within the cluster. By removing evidence of their actions, attackers can prolong their presence within the environment and increase the potential for further compromise. This technique is relevant for defenders monitoring AKS environments for intrusion activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure Kubernetes Service (AKS) cluster with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Kubernetes event logs to identify those they wish to remove.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to delete specific Kubernetes events using kubectl or the Azure CLI. The API call used for the deletion is MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record the event deletion, which is the source of the detection.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 3-4 to remove additional event logs, further obscuring their activities.\u003c/li\u003e\n\u003cli\u003eThe attacker continues with their primary objective, such as deploying malicious containers, exfiltrating data, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Kubernetes events can significantly hinder incident response efforts. Without access to event logs, defenders may struggle to identify the scope and timeline of an attack, potentially leading to incomplete remediation and prolonged exposure. The impact includes increased dwell time for attackers within the compromised environment, as well as a greater likelihood of successful data breaches or system disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect event deletion activity within AKS environments.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation in Azure Activity Logs, as indicated in the rule definition.\u003c/li\u003e\n\u003cli\u003eImplement robust RBAC policies within AKS to minimize the number of users and service accounts with permissions to delete Kubernetes events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:30:00Z","date_published":"2024-01-09T18:30:00Z","id":"/briefs/2024-01-azure-kubernetes-events-deleted/","summary":"Adversaries may delete events in Azure Kubernetes to evade detection, which this rule detects via the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.","title":"Azure Kubernetes Events Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-kubernetes-events-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure Kubernetes Service","version":"https://jsonfeed.org/version/1.1"}