Techniques
Sample rules
Kubernetes CronJob/Job Modification
- source: sigma
- technicques:
Description
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Detection logic
condition: selection
selection:
objectRef.apiGroup: batch
objectRef.resource:
- cronjobs
- jobs
verb:
- create
- delete
- patch
- replace
- update
Kubernetes Secrets Modified or Deleted
- source: sigma
- technicques:
Description
Detects when Kubernetes Secrets are Modified or Deleted.
Detection logic
condition: selection
selection:
objectRef.resource: secrets
verb:
- create
- delete
- patch
- replace
- update
Kubernetes Rolebinding Modification
- source: sigma
- technicques:
Description
Detects when a Kubernetes Rolebinding is created or modified.
Detection logic
condition: selection
selection:
objectRef.apiGroup: rbac.authorization.k8s.io
objectRef.resource:
- clusterrolebindings
- rolebindings
verb:
- create
- delete
- patch
- replace
- update
Kubernetes Admission Controller Modification
- source: sigma
- technicques:
- t1078
- t1552
- t1552.007
Description
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Detection logic
condition: selection
selection:
objectRef.apiGroup: admissionregistration.k8s.io
objectRef.resource:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verb:
- create
- delete
- patch
- replace
- update