Techniques
Sample rules
GKE Admission Webhook Created or Modified
- source: elastic
- technicques:
- T1546
- T1562
Description
Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.
Detection logic
data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
"io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
"io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
"io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
"io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
"io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
"io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
) and not user.email:(
"system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
*-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
)