modifying the kubernetes admission controller may need to be done by a system administrator.

t1078
t1552
t1552.007
kubernetes
sigma

Techniques

t1078
t1552
t1552.007

Sample rules

Kubernetes Admission Controller Modification

source: sigma
technicques:
- t1078
- t1552
- t1552.007

Description

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Detection logic

condition: selection
selection:
  objectRef.apiGroup: admissionregistration.k8s.io
  objectRef.resource:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verb:
  - create
  - delete
  - patch
  - replace
  - update