
Summary
This detection rule focuses on identifying attempts from identities in a Kubernetes environment to enumerate their Role-Based Access Control (RBAC) permissions. During the reconnaissance phase of a potential breach, attackers might try to discover the permissions they hold by invoking API calls to the Kubernetes API server, specifically through the SelfSubjectAccessReview mechanism. A common command used in such scenarios is \"kubectl auth can-i --list\", which returns a detailed list of all permissions the compromised user has. This rule utilizes specific filter criteria to detect the API calls aimed at creating selfsubjectrulesreviews, allowing security teams to surface this potentially malicious activity early on.
Categories
- Kubernetes
- Cloud
- Application
Data Sources
- Kernel
- Cloud Service
- Process
- Application Log
Created: 2024-03-26