<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Scanning - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/scanning/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/scanning/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Scanning by Unauthenticated IP Address</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-scanning/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-kubernetes-scanning/</guid><description>Detects potential scanning activities within a Kubernetes environment by identifying multiple unauthorized access attempts (HTTP 403 responses) from unauthenticated IP addresses in Kubernetes audit logs, potentially indicating vulnerability probing or exploitation attempts.</description><content:encoded><![CDATA[<p>This analytic identifies potential scanning activities within a Kubernetes environment by unauthenticated IP addresses. It leverages Kubernetes audit logs to detect multiple unauthorized access attempts (HTTP 403 responses) from the same source IP. This activity is significant as it may indicate an attacker probing for vulnerabilities or attempting to exploit known issues within the Kubernetes infrastructure. Successful scanning may allow attackers to identify exposed services, misconfigurations, or vulnerabilities that can be further exploited to gain unauthorized access, escalate privileges, or disrupt services. The detection focuses on identifying patterns indicative of automated scanning rather than legitimate user activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a Kubernetes cluster as a potential target.</li>
<li>Attacker attempts to access various Kubernetes API endpoints without proper authentication, resulting in HTTP 403 errors.</li>
<li>Kubernetes API server logs the unauthorized access attempts in the audit logs, including the source IP address, requested URI, and response code.</li>
<li>The detection analytic monitors Kubernetes audit logs for multiple 403 errors originating from the same unauthenticated IP address.</li>
<li>The analytic aggregates access attempts by source IP, country, and city, counting the number of 403 responses.</li>
<li>If the count of 403 responses from a single IP exceeds a threshold (e.g., 5), the IP is flagged as potentially engaged in scanning.</li>
<li>Security team investigates the flagged IP to determine the legitimacy of the activity.</li>
<li>If the activity is confirmed as malicious scanning, appropriate actions are taken to block the IP and further investigate any potential vulnerabilities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Unsuccessful exploitation attempts may precede successful ones. Kubernetes scanning activity often represents reconnaissance efforts to identify exploitable entry points. If successful, attackers may gain unauthorized access to sensitive data, escalate privileges, or disrupt critical services running within the Kubernetes cluster. This activity can lead to data breaches, service outages, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Kubernetes audit logging to capture API server requests, which is essential for this detection to function.</li>
<li>Deploy the provided Sigma rule to your SIEM and tune the threshold (count &gt; 5) based on your environment's baseline.</li>
<li>Use the <code>kube_audit</code> macro to standardize your Kubernetes audit log data source for use with the Sigma rule.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the scanning activity and take appropriate remediation steps.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>kubernetes</category><category>scanning</category><category>cloud</category></item><item><title>Kubernetes Access Scanning Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-kubernetes-access-scanning/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-kubernetes-access-scanning/</guid><description>This analytic detects potential reconnaissance activities within a Kubernetes environment by identifying repeated failed access attempts or unusual API requests from unauthenticated users based on Kubernetes audit logs, indicating a potential attacker's preliminary reconnaissance.</description><content:encoded><![CDATA[<p>This detection analytic focuses on identifying potential scanning activities targeting Kubernetes environments. It leverages Kubernetes audit logs to detect unauthorized access attempts, probing of public APIs, and potential attempts to exploit known vulnerabilities. The analytic specifically monitors for repeated failed access attempts (HTTP 403 errors) originating from unauthenticated users. The goal is to identify attackers performing preliminary reconnaissance to gather information about the Kubernetes system, which could precede more serious malicious activities. This activity is significant because successful reconnaissance can provide attackers with the information they need to gain unauthorized access to sensitive systems or data within the cluster. The detection logic uses events where &quot;user.groups{}&quot;=&quot;system:unauthenticated&quot; and &quot;responseStatus.code&quot;=403, aggregated by source IP to identify hosts exceeding a threshold of failed requests.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access Attempt:</strong> An attacker attempts to access the Kubernetes API server without proper authentication, potentially using default credentials or exploiting misconfigurations.</li>
<li><strong>Unauthorized API Request:</strong> The attacker sends a request to a protected API endpoint, resulting in a 403 Forbidden error.</li>
<li><strong>Reconnaissance Scanning:</strong> The attacker repeats the unauthorized API requests across multiple endpoints or using various techniques to map the Kubernetes environment.</li>
<li><strong>Audit Log Generation:</strong> Each failed access attempt is logged as an audit event within the Kubernetes audit logs, recording details such as the source IP, requested URI, and response code.</li>
<li><strong>Log Aggregation and Analysis:</strong> Security monitoring tools, like Splunk, collect and aggregate the Kubernetes audit logs.</li>
<li><strong>Threshold Trigger:</strong> The analytic detects a source IP exceeding a defined threshold (e.g., 5) of failed access attempts (403 errors) from unauthenticated users within a specific timeframe.</li>
<li><strong>Alert Generation:</strong> An alert is triggered, indicating potential scanning activity originating from the identified source IP.</li>
<li><strong>Further Exploitation:</strong> If successful, the attacker leverages the information gathered during the scanning phase to exploit vulnerabilities, escalate privileges, or deploy malicious workloads within the Kubernetes cluster.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful Kubernetes access scanning allows attackers to map the internal structure of the cluster, identify exposed services, and discover potential vulnerabilities. This reconnaissance phase can lead to unauthorized access to sensitive data, compromise of containerized applications, and lateral movement within the cluster. Depending on the compromised application's function and data access, the attacker could steal secrets, sensitive data, or pivot to other internal systems. The impact can range from data breaches and service disruption to complete control over the Kubernetes cluster.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Kubernetes audit logging to generate the required data source for this detection. Configure the audit policy to capture sufficient detail on API requests, including user identity, request URI, and response status (Kubernetes Audit).</li>
<li>Deploy the provided Sigma rules to your SIEM and tune the threshold (<code>count &gt; 5</code>) based on your environment's baseline activity and acceptable false positive rate (Sigma Rules).</li>
<li>Investigate alerts triggered by the Sigma rules, focusing on the source IP address (<code>src_ip</code>) and the specific API requests made to determine the nature and intent of the scanning activity.</li>
<li>Block the identified scanning source IP addresses (<code>sourceIPs{}</code>) at your network perimeter or within your Kubernetes network policies to prevent further reconnaissance attempts.</li>
<li>Review and harden Kubernetes security configurations to minimize the attack surface and prevent unauthorized access to API endpoints (Kubernetes documentation).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>kubernetes</category><category>scanning</category><category>reconnaissance</category></item></channel></rss>