LoFP / cluster operators and gitops automation may legitimately install or upgrade admission controllers (e.g. cert-manager, gatekeeper, kyverno, service mesh components). validate change tickets and approved controllers before tuning.

Techniques

• T1546
• T1562

Sample rules

Kubernetes Admission Webhook Created or Modified

• source: elastic
• technicques:
  • T1546
  • T1562

Description

Detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities. Admission webhooks intercept every API request matching their rules before persistence, giving an attacker powerful capabilities: injecting malicious sidecars into every new pod via a mutating webhook, blocking security tooling deployments via a validating webhook, or silently exfiltrating pod specifications to an external server. Webhook manipulation is a stealthy persistence and defense evasion technique because the webhook configuration itself looks benign in kubectl output while actively modifying or intercepting all matching Kubernetes API traffic.

Detection logic

kubernetes.audit.objectRef.resource:("mutatingwebhookconfigurations" or "validatingwebhookconfigurations") and
kubernetes.audit.verb:("create" or "update" or "patch" or "delete") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and 
user.name:(* and not 
  (system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or aksService or masterclient or nodeclient or
  system\:serviceaccount\:gke-managed-system\:* or
  system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or
  system\:serviceaccount\:kyverno\:* or
  system\:serviceaccount\:*\:*-operator)
) and
kubernetes.audit.objectRef.name:(* and not (pod-identity-webhook or vpc-resource-mutating-webhook or eks-* or gke-*))