LoFP / not all unauthenticated requests are malicious, but frequency, ua and source ips and direct request to api provide context.

• T1526

Sample rules

Amazon EKS Kubernetes Pod scan detection

• source: splunk
• technicques:
  • T1526

Description

The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the aws_cloudwatchlogs_eks data source, filtering for events where user.username is “system:anonymous”, verb is “list”, and objectRef.resource is “pods”, with requestURI set to “/api/v1/pods”. This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.

Detection logic

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" 
| rename source as cluster_name sourceIPs{} as src_ip 
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `amazon_eks_kubernetes_pod_scan_detection_filter`

Amazon EKS Kubernetes cluster scan detection

• source: splunk
• technicques:
  • T1526

Description

The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the “system:anonymous” user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.

Detection logic

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" 
| rename sourceIPs{} as src_ip 
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
|`amazon_eks_kubernetes_cluster_scan_detection_filter`