LoFP LoFP / kubectl calls are not malicious by nature. however source ip, verb and object can reveal potential malicious activity, specially anonymous suspicious ips and sensitive objects such as configmaps or secrets

Techniques

Sample rules

Kubernetes AWS detect suspicious kubectl calls

Description

The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from kube_audit logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.

Detection logic

`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated") 
| fillnull 
| stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb 
| rename sourceIPs{} as src_ip, user.username as user 
|`kubernetes_aws_detect_suspicious_kubectl_calls_filter`