<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Image-Pulling - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/image-pulling/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/image-pulling/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Suspicious Image Pulling Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-suspicious-image-pulling/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-suspicious-image-pulling/</guid><description>This analytic detects suspicious image pulling in Kubernetes environments by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images, potentially indicating malicious software deployment or system infiltration.</description><content:encoded><![CDATA[<p>This detection focuses on identifying unauthorized or suspicious image pulling activities within a Kubernetes cluster. By monitoring Kubernetes audit logs, the detection triggers when an image pull request is made for an image not present in a predefined list of allowed images. This activity can indicate an attacker attempting to deploy malicious containers, escalate privileges, or infiltrate the system. The scope of targeting is any Kubernetes environment where audit logging is enabled. The detection leverages Kubernetes audit logs and a predefined list of approved images to identify anomalous behavior. Successfully identifying and responding to these events is critical for maintaining the integrity and security of the Kubernetes environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials or a vulnerable application.</li>
<li><strong>Discovery:</strong> The attacker enumerates available resources within the cluster, identifying potential targets for malicious container deployment.</li>
<li><strong>Image Selection:</strong> The attacker identifies or crafts a malicious container image to deploy within the Kubernetes environment. This image may contain malware, backdoors, or tools for lateral movement.</li>
<li><strong>Image Pull Request:</strong> The attacker attempts to pull the malicious image from a registry into the Kubernetes cluster using <code>kubectl</code> or similar tools. This action generates an audit log entry.</li>
<li><strong>Detection Trigger:</strong> The detection analytic compares the requested image against a list of allowed images. Because the malicious image is not on the allow list, the detection triggers.</li>
<li><strong>Container Deployment:</strong> If the image pull is successful, the attacker deploys the container within the Kubernetes cluster. This may involve creating a new pod, deployment, or other Kubernetes resource.</li>
<li><strong>Lateral Movement:</strong> Once the malicious container is running, the attacker uses it to move laterally within the cluster, compromising other pods, services, or nodes.</li>
<li><strong>Impact:</strong> The attacker achieves their objective, such as data exfiltration, denial of service, or complete control of the Kubernetes cluster.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack resulting from suspicious image pulling can have severe consequences. Unauthorized access to sensitive data, deployment of malicious workloads, and lateral movement within the cluster are all potential outcomes. The number of affected systems and the scope of the damage depends on the attacker's objectives and the extent of their access. If the attack succeeds, it can lead to significant financial losses, reputational damage, and disruption of critical services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and configure Kubernetes audit logging to capture all API server requests. Reference: &quot;Kubernetes Audit&quot; data source.</li>
<li>Implement the provided Sigma rule <code>Detect Kubernetes Suspicious Image Pulling</code> to identify unauthorized image pulls in your Kubernetes environment.</li>
<li>Create and maintain a comprehensive list of allowed images (<code>kube_allowed_images</code>) within your SIEM to minimize false positives.</li>
<li>Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. <a href="https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md">https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md</a></li>
<li>When you want to use this detection with AWS EKS, you need to enable EKS control plane logging <a href="https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html">https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html</a>. Then you can collect the logs from Cloudwatch using the AWS TA <a href="https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/">https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/</a>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kubernetes</category><category>image-pulling</category><category>anomaly-detection</category><category>cloud</category></item></channel></rss>