{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-kubernetes-services/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Kubernetes Services"],"_cs_severities":["low"],"_cs_tags":["cloud","azure","kubernetes","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of role binding or cluster role bindings in Azure Kubernetes Services (AKS) by monitoring Azure activity logs for successful creation events. These role bindings assign roles to Kubernetes subjects, like users, groups, or service accounts. An attacker who has permissions to create bindings and cluster-bindings can escalate privileges by creating a binding to the cluster-admin ClusterRole or other high privileges roles. This activity is logged within Azure and can be detected using the Azure Activity Logs. This activity can lead to complete control of the Kubernetes cluster and its resources if a cluster-admin role is bound to a malicious actor.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an Azure account with sufficient permissions to interact with AKS and create role bindings.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available roles and cluster roles within the AKS cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies high-privilege roles, such as \u003ccode\u003ecluster-admin\u003c/code\u003e, which would grant extensive control over the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new RoleBinding or ClusterRoleBinding, associating the target user/group/service account with the high-privilege role. The Azure activity logs capture this event.\u003c/li\u003e\n\u003cli\u003eThe attacker validates the successful creation of the role binding.\u003c/li\u003e\n\u003cli\u003eThe attacker (or the user/group/service account targeted) leverages the newly granted privileges to perform unauthorized actions within the AKS cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the Valid Account (T1078) to access the cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to privilege escalation within the AKS cluster, allowing the attacker to perform actions beyond their intended authorization. This can lead to unauthorized access to sensitive data, modification or deletion of critical resources, and potential compromise of the entire Kubernetes environment. While specific victim counts aren't available, the impact is significant for organizations relying on AKS for containerized applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AKS Role Binding Creation\u003c/code\u003e to detect the creation of role bindings in your AKS environment by monitoring Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eReview and tighten Role-Based Access Control (RBAC) policies to ensure that only necessary permissions are granted (reference: description).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected role binding creations to validate their legitimacy and identify potential unauthorized privilege escalation attempts (reference: description).\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eevent.outcome\u003c/code\u003e to ensure the operation was successful and not a failed attempt, which might indicate a misconfiguration or testing (reference: description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aks-rolebinding-created/","summary":"The creation of role binding or cluster role bindings in Azure Kubernetes Services (AKS) can indicate privilege escalation by an adversary creating a binding to the cluster-admin ClusterRole or other high-privilege roles.","title":"Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created","url":"https://feed.craftedsignal.io/briefs/2024-01-aks-rolebinding-created/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Kubernetes Services"],"_cs_severities":["medium"],"_cs_tags":["azure","kubernetes","impact","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the deletion of Azure Kubernetes Pods, which could indicate malicious activity. Adversaries might delete Kubernetes pods to disrupt services or evade detection. Successful pod deletion operations logged in Azure activity logs are monitored, alerting security teams to potential unauthorized actions impacting environment stability and security. The rule focuses on events logged with the operation name \u0026quot;MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\u0026quot; and a successful outcome. Defenders should be aware of unexpected or unauthorized pod deletions, as these actions can lead to service disruptions and potential data loss. This activity affects Azure Kubernetes Services (AKS) environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the Azure environment, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure API and identifies the target Kubernetes cluster and namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to make an authorized API call.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a DELETE request targeting specific pods within the Kubernetes cluster, using the \u0026quot;MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eAzure processes the deletion request, and if authorized, removes the specified pods from the cluster.\u003c/li\u003e\n\u003cli\u003eThe event is logged in Azure Activity Logs with an \u0026quot;Success\u0026quot; outcome.\u003c/li\u003e\n\u003cli\u003eLegitimate applications or services that rely on the deleted pods experience disruption or failure.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include disrupting services, causing data loss, or hindering incident response efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful pod deletions can lead to service disruptions, application failures, and potential data loss within the Azure Kubernetes Services (AKS) environment. The severity depends on the criticality of the affected pods and the applications they support. A successful attack could impact the availability of customer-facing services, internal business processes, or critical infrastructure components. Undetected malicious pod deletions can also complicate incident response efforts and prolong the time it takes to restore normal operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Kubernetes Pod Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect malicious or accidental pod deletions in your Azure environment.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for events matching the \u003ccode\u003eMICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\u003c/code\u003e operation name to identify potential pod deletion incidents.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and role-based access management to minimize the risk of unauthorized pod deletions.\u003c/li\u003e\n\u003cli\u003eIntegrate monitoring and alerting with a SIEM system to detect and respond to unauthorized pod deletions promptly (refer to the setup instructions in the overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aks-pod-deletion/","summary":"The deletion of Azure Kubernetes Pods can indicate malicious activity aimed at disrupting the environment's normal behavior.","title":"Azure Kubernetes Services (AKS) Kubernetes Pod Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-aks-pod-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Kubernetes Services","version":"https://jsonfeed.org/version/1.1"}