Rules Contributing to Suspicious Azure Kubernetes Activity: Privilege Escalation Alert

The following rules are used to identify suspicious Azure Kubernetes activity usually in the privilege escalation stage. Any one or more of these will trigger the Suspicious Azure Kubernetes Activity: Privilege Escalation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Kubernetes Sensitive Role Access

Identifies when ClusterRoles/Roles are being modified or deleted.

Rule ID

azure_76

Query

{'selection': {'operationName': ['MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,818fee0c-e0ec-4e45-824e-83e4817b0887

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0004, T1078

References

Severity

50

Suppression Logic Based On

  • azure_activity_log.resourceId
  • azure_activity_log.operationName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/07 medium

  • ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

  • ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Rule ID

azure_79

Query

{'selection': {'operationName': ['MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,25cb259b-bbdc-4b87-98b7-90d7c72f8743

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0004, T1078

References

Severity

50

Suppression Logic Based On

  • azure_activity_log.resourceId
  • azure_activity_log.operationName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/07 medium

  • RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

  • RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.