<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Hostnetwork - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/hostnetwork/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/hostnetwork/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Pod with Host Network Attachment Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-kubernetes-host-network/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-kubernetes-host-network/</guid><description>Detection of Kubernetes pods configured to use the host network namespace via audit logs, potentially allowing attackers to monitor all node network traffic for sensitive data and privilege escalation.</description><content:encoded><![CDATA[<p>This alert identifies the creation or update of a Kubernetes pod configured to use the host network namespace. Kubernetes audit logs are analyzed to detect pods with the <code>hostNetwork: true</code> setting. This configuration allows a pod to share the network stack of the host node, effectively granting it access to all network interfaces and traffic. This presents a significant security risk, especially if the pod is compromised. An attacker can then monitor all network traffic on the node, potentially capturing sensitive information such as credentials or API keys, and potentially escalating privileges to gain control over the node and the entire cluster. This detection is critical for SOC teams to identify and investigate potentially malicious activity within their Kubernetes environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials, a vulnerable application, or a misconfigured service.</li>
<li>The attacker crafts a malicious pod specification that includes the <code>hostNetwork: true</code> setting. This setting is included within the <code>requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration</code> field.</li>
<li>The attacker attempts to create or update a pod using the crafted specification, submitting the request to the Kubernetes API server.</li>
<li>The Kubernetes API server logs the pod creation or update request in the audit logs, including details about the pod's configuration and the user who initiated the request.</li>
<li>The detection logic identifies the <code>hostNetwork: true</code> setting in the audit logs, triggering the alert.</li>
<li>An attacker leverages access to the host network to sniff network traffic, intercepting sensitive data.</li>
<li>The attacker uses captured credentials or other sensitive information to escalate privileges within the cluster.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging a pod with host network attachment can have severe consequences. An attacker could gain complete control over the compromised node, potentially leading to data breaches, service disruptions, and unauthorized access to sensitive resources. Furthermore, the attacker could use the compromised node as a launchpad for further attacks within the cluster, compromising other pods and services. This can lead to a full cluster compromise with significant damage and data loss.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Kubernetes audit logging and configure the audit policy to capture pod creation and update events. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs as described in the documentation <a href="https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md">https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md</a>.</li>
<li>Deploy the Sigma rule <code>Kubernetes Pod with Host Network Attachment</code> to your SIEM to detect the creation or update of pods with the <code>hostNetwork: true</code> setting.</li>
<li>Investigate any alerts generated by this rule to determine the legitimacy of the pod creation/update and the user who initiated the request.</li>
<li>Monitor the users and source IPs identified in the detection (<code>user</code>, <code>src_ip</code>) for other suspicious activities within the cluster.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kubernetes</category><category>hostnetwork</category><category>privilegeescalation</category></item></channel></rss>