{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/daemonset/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kubernetes","EKS"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","daemonset","persistence"],"_cs_type":"advisory","_cs_vendors":["Kubernetes","AWS"],"content_html":"\u003cp\u003eThis brief focuses on the detection of DaemonSet deployments within a Kubernetes cluster. DaemonSets, which ensure a specific pod runs on every node, can be abused by attackers to gain persistent access. The alert triggers upon detecting the creation of a DaemonSet as logged within the Kubernetes Audit logs. This activity is a significant indicator of potentially malicious activity because DaemonSets provide a mechanism for attackers to deploy malicious pods across an entire cluster, enabling persistent attacks, service disruptions, or unauthorized access to sensitive information. The detection logic is based on monitoring Kubernetes API server requests for the creation of DaemonSets and extracting relevant fields, such as user, source IP, and involved resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the Kubernetes cluster, potentially through compromised credentials or exploiting a cluster vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the Kubernetes API server with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious DaemonSet YAML file, defining the pod to be deployed across all nodes. This could include a container with reverse shell capabilities or data exfiltration tools.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003ekubectl\u003c/code\u003e or another API client to submit the DaemonSet creation request to the Kubernetes API server.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes API server validates the request and, if authorized, creates the DaemonSet object. This event is logged in the Kubernetes Audit logs.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes controller manager observes the new DaemonSet and schedules the defined pod on each node in the cluster.\u003c/li\u003e\n\u003cli\u003eThe malicious pod is deployed and starts executing on each node, granting the attacker persistent access and control.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions from the deployed pods, such as lateral movement, data exfiltration, or denial-of-service attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DaemonSet deployment by an attacker can compromise the entire Kubernetes cluster. Every node becomes infected with the malicious pod, providing the attacker with a persistent foothold. This can lead to widespread data exfiltration, denial of service, or the deployment of ransomware across all containerized applications. The blast radius is the entire cluster, potentially impacting all applications running within it.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and properly configure Kubernetes audit logging to capture DaemonSet creation events and other API server activities. Reference the documentation on collecting audit logs from Kubernetes clusters (\u003ca href=\"https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/\"\u003ehttps://kubernetes.io/docs/tasks/debug/debug-cluster/audit/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule (\u003ccode\u003eKubernetes DaemonSet Created\u003c/code\u003e) to detect the creation of DaemonSets based on Kubernetes Audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected DaemonSet creation events, focusing on the user (\u003ccode\u003euser.username\u003c/code\u003e), source IP (\u003ccode\u003esourceIPs{}\u003c/code\u003e), and the contents of the DaemonSet manifest.\u003c/li\u003e\n\u003cli\u003eFor AWS EKS, ensure control plane logging is enabled and that logs are properly ingested into your SIEM. Refer to AWS documentation for enabling EKS control plane logging (\u003ca href=\"https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html\"\u003ehttps://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-daemonset-deployment/","summary":"The creation of a Kubernetes DaemonSet is detected via Kubernetes Audit logs, indicating a potential attempt to maintain persistent access and control within the cluster by ensuring a specific pod runs on every node.","title":"Kubernetes DaemonSet Deployment Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-daemonset-deployment/"}],"language":"en","title":"CraftedSignal Threat Feed - Daemonset","version":"https://jsonfeed.org/version/1.1"}