LoFP / if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• t1053
• t1053.003
• t1074
• t1078
• t1552
• t1552.007

Sample rules

Google Cloud Kubernetes CronJob

• source: sigma
• technicques:

Description

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.api.batch.v*.Job
  - io.k8s.api.batch.v*.CronJob

Google Full Network Traffic Packet Capture

• source: sigma
• technicques:
  • t1074

Description

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - v*.Compute.PacketMirrorings.Get
  - v*.Compute.PacketMirrorings.Delete
  - v*.Compute.PacketMirrorings.Insert
  - v*.Compute.PacketMirrorings.Patch
  - v*.Compute.PacketMirrorings.List
  - v*.Compute.PacketMirrorings.aggregatedList

Google Cloud Kubernetes Admission Controller

• source: sigma
• technicques:
  • t1078
  • t1552
  • t1552.007

Description

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Detection logic

condition: selection
selection:
  gcp.audit.method_name|contains:
  - .mutatingwebhookconfigurations.
  - .validatingwebhookconfigurations.
  gcp.audit.method_name|endswith:
  - create
  - patch
  - replace
  gcp.audit.method_name|startswith: admissionregistration.k8s.io.v

AWS Glue Development Endpoint Activity

• source: sigma
• technicques:

Description

Detects possible suspicious glue development endpoint activity.

Detection logic

condition: selection
selection:
  eventName:
  - CreateDevEndpoint
  - DeleteDevEndpoint
  - UpdateDevEndpoint
  eventSource: glue.amazonaws.com

Azure Kubernetes Admission Controller

• source: sigma
• technicques:
  • t1078
  • t1552
  • t1552.007

Description

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Detection logic

condition: selection
selection:
  operationName|endswith:
  - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
  - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
  operationName|startswith:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
  - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO

Azure Kubernetes CronJob

• source: sigma
• technicques:
  • t1053
  • t1053.003

Description

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Detection logic

condition: selection
selection:
  operationName|endswith:
  - /CRONJOBS/WRITE
  - /JOBS/WRITE
  operationName|startswith:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
  - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH