Merge PR SigmaHQ#4694 from @LAripping - Add native Kubernetes detections

new: Container With A hostPath Mount Created
new: Creation Of Pod In System Namespace
new: Deployment Deleted From Kubernetes Cluster
new: Kubernetes Events Deleted
new: Kubernetes Secrets Enumeration
new: New Kubernetes Service Account Created
new: Potential Remote Command Execution In Pod Container
new: Potential Sidecar Injection Into Running Deployment
new: Privileged Container Deployed
new: RBAC Permission Enumeration Attempt 

---------

Co-authored-by: nasbench <[email protected]>

rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml

@@ -0,0 +1,24 @@
+title: Deployment Deleted From Kubernetes Cluster
+id: 40967487-139b-4811-81d9-c9767a92aa5a
+status: experimental
+description: |
+    Detects the removal of a deployment from a Kubernetes cluster.
+    This could indicate disruptive activity aiming to impact business operations.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1498
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'delete'
+        objectRef.resource: 'deployments'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml

@@ -0,0 +1,27 @@
+title: Kubernetes Events Deleted
+id: 3132570d-cab2-4561-9ea6-1743644b2290
+related:
+    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
+      type: derived
+status: experimental
+description: |
+    Detects when events are deleted in Kubernetes.
+    An adversary may delete Kubernetes events in an attempt to evade detection.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1070
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'delete'
+        objectRef.resource: 'events'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml

@@ -0,0 +1,24 @@
+title: Potential Remote Command Execution In Pod Container
+id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
+status: experimental
+description: |
+    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1609
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        objectRef.subresource: 'exec'
+    condition: selection
+falsepositives:
+    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml

@@ -0,0 +1,27 @@
+title: Container With A hostPath Mount Created
+id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
+status: experimental
+description: |
+    Detects creation of a container with a hostPath mount.
+    A hostPath volume mounts a directory or a file from the node to the container.
+    Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
+    - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1611
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
+    condition: selection
+falsepositives:
+    - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
+level: low

rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml

@@ -0,0 +1,27 @@
+title: Creation Of Pod In System Namespace
+id: a80d927d-ac6e-443f-a867-e8d6e3897318
+status: experimental
+description: |
+    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
+    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
+    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
+    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1036.005
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        objectRef.namespace: kube-system
+    condition: selection
+falsepositives:
+    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml

@@ -0,0 +1,29 @@
+title: Privileged Container Deployed
+id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
+status: experimental
+description: |
+    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
+    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
+    Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
+    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
+    - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
+    - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1611
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml

@@ -0,0 +1,28 @@
+title: RBAC Permission Enumeration Attempt
+id: 84b777bd-c946-4d17-aa2e-c39f5a454325
+status: experimental
+description: |
+    Detects identities attempting to enumerate their Kubernetes RBAC permissions.
+    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
+    In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
+    This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
+references:
+    - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1069.003
+    - attack.t1087.004
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        apiGroup: 'authorization.k8s.io'
+        objectRef.resource: 'selfsubjectrulesreviews'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml

@@ -0,0 +1,25 @@
+title: Kubernetes Secrets Enumeration
+id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
+related:
+    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
+      type: derived
+status: experimental
+description: Detects enumeration of Kubernetes secrets.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1552.007
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'list'
+        objectRef.resource: 'secrets'
+    condition: selection
+falsepositives:
+    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
+level: low

rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml

@@ -0,0 +1,26 @@
+title: New Kubernetes Service Account Created
+id: e31bae15-83ed-473e-bf31-faf4f8a17d36
+related:
+    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
+      type: derived
+status: experimental
+description: |
+    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1136
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'serviceaccounts'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml

@@ -0,0 +1,28 @@
+title: Potential Sidecar Injection Into Running Deployment
+id: ad9012a6-e518-4432-9890-f3b82b8fc71f
+status: experimental
+description: |
+    Detects attempts to inject a sidecar container into a running deployment.
+    A sidecar container is an additional container within a pod, that resides alongside the main container.
+    One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
+    By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
+references:
+    - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1609
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'patch'
+        apiGroup: 'apps'
+        objectRef.resource: 'deployments'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

tests/logsource.json

@@ -194,6 +194,16 @@
             },
             "service":{}
         },
+        "kubernetes":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{
+                "audit": []
+            }
+        },
         "python":{
             "commun": [],
             "empty": [],