{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/image-pulling/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kubernetes","Amazon Elastic Kubernetes Service"],"_cs_severities":["high"],"_cs_tags":["kubernetes","image-pulling","anomaly-detection","cloud"],"_cs_type":"advisory","_cs_vendors":["Kubernetes","Amazon"],"content_html":"\u003cp\u003eThis detection focuses on identifying unauthorized or suspicious image pulling activities within a Kubernetes cluster. By monitoring Kubernetes audit logs, the detection triggers when an image pull request is made for an image not present in a predefined list of allowed images. This activity can indicate an attacker attempting to deploy malicious containers, escalate privileges, or infiltrate the system. The scope of targeting is any Kubernetes environment where audit logging is enabled. The detection leverages Kubernetes audit logs and a predefined list of approved images to identify anomalous behavior. Successfully identifying and responding to these events is critical for maintaining the integrity and security of the Kubernetes environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates available resources within the cluster, identifying potential targets for malicious container deployment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImage Selection:\u003c/strong\u003e The attacker identifies or crafts a malicious container image to deploy within the Kubernetes environment. This image may contain malware, backdoors, or tools for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImage Pull Request:\u003c/strong\u003e The attacker attempts to pull the malicious image from a registry into the Kubernetes cluster using \u003ccode\u003ekubectl\u003c/code\u003e or similar tools. This action generates an audit log entry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetection Trigger:\u003c/strong\u003e The detection analytic compares the requested image against a list of allowed images. Because the malicious image is not on the allow list, the detection triggers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eContainer Deployment:\u003c/strong\u003e If the image pull is successful, the attacker deploys the container within the Kubernetes cluster. This may involve creating a new pod, deployment, or other Kubernetes resource.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Once the malicious container is running, the attacker uses it to move laterally within the cluster, compromising other pods, services, or nodes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, such as data exfiltration, denial of service, or complete control of the Kubernetes cluster.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack resulting from suspicious image pulling can have severe consequences. Unauthorized access to sensitive data, deployment of malicious workloads, and lateral movement within the cluster are all potential outcomes. The number of affected systems and the scope of the damage depends on the attacker's objectives and the extent of their access. If the attack succeeds, it can lead to significant financial losses, reputational damage, and disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure Kubernetes audit logging to capture all API server requests. Reference: \u0026quot;Kubernetes Audit\u0026quot; data source.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Kubernetes Suspicious Image Pulling\u003c/code\u003e to identify unauthorized image pulls in your Kubernetes environment.\u003c/li\u003e\n\u003cli\u003eCreate and maintain a comprehensive list of allowed images (\u003ccode\u003ekube_allowed_images\u003c/code\u003e) within your SIEM to minimize false positives.\u003c/li\u003e\n\u003cli\u003eUse the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. \u003ca href=\"https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md\"\u003ehttps://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eWhen you want to use this detection with AWS EKS, you need to enable EKS control plane logging \u003ca href=\"https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html\"\u003ehttps://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html\u003c/a\u003e. Then you can collect the logs from Cloudwatch using the AWS TA \u003ca href=\"https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/\"\u003ehttps://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-suspicious-image-pulling/","summary":"This analytic detects suspicious image pulling in Kubernetes environments by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images, potentially indicating malicious software deployment or system infiltration.","title":"Kubernetes Suspicious Image Pulling Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-suspicious-image-pulling/"}],"language":"en","title":"CraftedSignal Threat Feed - Image-Pulling","version":"https://jsonfeed.org/version/1.1"}