The rule 'Kubernetes Admission Controller Webhook Created' is designed to detect the creation of MutatingWebhookConfiguration or ValidatingWebhookConfiguration resources in Kubernetes environments. Admission controllers are critical components that intercept API requests to the Kubernetes API server, which can be exploited by attackers to manipulate API calls—either for malicious purposes such as injecting backdoors, stealing credentials, or performing reconnaissance. This rule monitors specific log events from platforms like Amazon EKS, Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE) to identify when new webhooks are created, thereby indicating potential unauthorized changes that could affect the security of the Kubernetes cluster. The rule includes a provided runbook that outlines steps for investigating the intent behind the creation of webhooks by reviewing configurations, API operations, and previous activity associated with the user creating the webhook. The associated MITRE ATT&CK techniques highlight the possible attack strategies related to credential access and persistence through these configurations.