Sigma rule references as PDF

kubernetes_audit_change_admission_controller

Title : Kubernetes Admission Controller Modification

Rule id : eed82177-38f5-4299-8a76-098d50d225ab

Url	Pdf
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/	pdf/90e6ea15312141ef5b7f702145416dec21820ab86f0910b8cb3f55af1af976d9.pdf
https://security.padok.fr/en/blog/kubernetes-webhook-attackers	pdf/6a67322cd9037db9a5b6269a2ec121b2faefc6d4bb96a40c879fa00794d483b9.pdf

kubernetes_audit_cronjob_modification

Title : Kubernetes CronJob/Job Modification

Rule id : 0c9b3bda-41a6-4442-9345-356ae86343dc

Url	Pdf
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/	pdf/90e6ea15312141ef5b7f702145416dec21820ab86f0910b8cb3f55af1af976d9.pdf
https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob	pdf/2b59f70b2b4773c77bbee411d36b5908503fd7a2617b759151bf0b93d4ae69c5.pdf

kubernetes_audit_deployment_deleted

Title : Deployment Deleted From Kubernetes Cluster

Rule id : 40967487-139b-4811-81d9-c9767a92aa5a

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/	pdf/0b898e6890d8990884e07b239d07ccfea629872bcdb58b65d93c01543af057a9.pdf

kubernetes_audit_events_deleted

Title : Kubernetes Events Deleted

Rule id : 3132570d-cab2-4561-9ea6-1743644b2290

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/	pdf/7059945519bcea791578517c5a44de52acbf78d913b39d6683e35e319c727f14.pdf

kubernetes_audit_exec_into_container

Title : Potential Remote Command Execution In Pod Container

Rule id : a1b0ca4e-7835-413e-8471-3ff2b8a66be6

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/	pdf/6846c3deaa5ca902a447dc1b7360830698c4f4cb40971af53c5fa40bd31789f6.pdf

kubernetes_audit_hostpath_mount

Title : Container With A hostPath Mount Created

Rule id : 402b955c-8fe0-4a8c-b635-622b4ac5f902

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/	pdf/1a3ed540ae243a9857ecfce524e98bada9efdff598236f74ffa3ac25ca2a934e.pdf
https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216	pdf/02b3781a639b58c627e7c0f04081f4f623be0bcf84f8f0d67c8f0fa56dfe6618.pdf

kubernetes_audit_pod_in_system_namespace

Title : Creation Of Pod In System Namespace

Rule id : a80d927d-ac6e-443f-a867-e8d6e3897318

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/	pdf/1c5076dccbcdb111e6ff6bc1ab565a143b09067d11e930569ef95c09bd68e45a.pdf

kubernetes_audit_privileged_pod_creation

Title : Privileged Container Deployed

Rule id : c5cd1b20-36bb-488d-8c05-486be3d0cb97

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/	pdf/a41b054b01b76b827a320f957420087331c6bf4e3833764f78f72964adfd2850.pdf
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer	pdf/07a95b9e3ca211e76d15cf69c60c897e61ccfc74a9cc805d7302756e5eb94c75.pdf
https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html	pdf/27b7100747fd1619564dfbd8195453b0b6e7b85902382039059a745233b5c990.pdf
https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html	pdf/1106da5ef7b1a048e8d8fadf3a3013372e33dfc8ce47af0b8ef6732020a15932.pdf

kubernetes_audit_rbac_permisions_listing

Title : RBAC Permission Enumeration Attempt

Rule id : 84b777bd-c946-4d17-aa2e-c39f5a454325

Url	Pdf
https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html	pdf/f61720da309936dbf6c4c7d659044e2a8670dbeb9d5c0b194b9365518279f9d6.pdf

kubernetes_audit_rolebinding_modification

Title : Kubernetes Rolebinding Modification

Rule id : 10b97915-ec8d-455f-a815-9a78926585f6

Url	Pdf
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/	pdf/90e6ea15312141ef5b7f702145416dec21820ab86f0910b8cb3f55af1af976d9.pdf
https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab	pdf/6dc7c25927da7c2ab9fa03928bcd77f1b9c1b1fa9a0ba9215fe2a99ad89b9187.pdf

kubernetes_audit_secrets_enumeration

Title : Kubernetes Secrets Enumeration

Rule id : eeb3e9e1-b685-44e4-9232-6bb701f925b5

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/	pdf/fffc4a150afeed80987bdc16707e059de264158327c9417975c3a04f11b2b4cb.pdf

kubernetes_audit_secrets_modified_or_deleted

Title : Kubernetes Secrets Modified or Deleted

Rule id : 58d31a75-a4f8-4c40-985b-373d58162ca2

Url	Pdf
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/	pdf/90e6ea15312141ef5b7f702145416dec21820ab86f0910b8cb3f55af1af976d9.pdf
https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/	pdf/9b59894ab0e6de9429c96e84134acf0a53a68a3ddc1dad388e13f53d8a782fe1.pdf

kubernetes_audit_serviceaccount_creation

Title : New Kubernetes Service Account Created

Rule id : e31bae15-83ed-473e-bf31-faf4f8a17d36

Url	Pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/	pdf/a1598d1917da4305e010595045bb5d9070ef25fb516c4801086d0d64334bcbb9.pdf

kubernetes_audit_sidecar_injection

Title : Potential Sidecar Injection Into Running Deployment

Rule id : ad9012a6-e518-4432-9890-f3b82b8fc71f

Url	Pdf
https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch	pdf/a1c0774f95d58d9265b9a71c67d2cbc735f2644c217dd79e83f3b54cce9f5c6d.pdf
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/	pdf/eb71a70a51d2a9d3c094d293e7189a0a29f62109cfb4426bf91e3ac95ceaafdb.pdf

kubernetes_audit_unauthorized_unauthenticated_actions

Title : Kubernetes Unauthorized or Unauthenticated Access

Rule id : 0d933542-1f1f-420d-97d4-21b2c3c492d9

Url	Pdf
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/	pdf/90e6ea15312141ef5b7f702145416dec21820ab86f0910b8cb3f55af1af976d9.pdf
https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues	pdf/7b9c541ae63b90cc29efcca669a8a6a693e9ce57146fb6db53693e6c451981aa.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

references_k.md

references_k.md

Sigma rule references as PDF

kubernetes_audit_change_admission_controller

kubernetes_audit_cronjob_modification

kubernetes_audit_deployment_deleted

kubernetes_audit_events_deleted

kubernetes_audit_exec_into_container

kubernetes_audit_hostpath_mount

kubernetes_audit_pod_in_system_namespace

kubernetes_audit_privileged_pod_creation

kubernetes_audit_rbac_permisions_listing

kubernetes_audit_rolebinding_modification

kubernetes_audit_secrets_enumeration

kubernetes_audit_secrets_modified_or_deleted

kubernetes_audit_serviceaccount_creation

kubernetes_audit_sidecar_injection

kubernetes_audit_unauthorized_unauthenticated_actions

Files

references_k.md

Latest commit

History

references_k.md

File metadata and controls

Sigma rule references as PDF

kubernetes_audit_change_admission_controller

kubernetes_audit_cronjob_modification

kubernetes_audit_deployment_deleted

kubernetes_audit_events_deleted

kubernetes_audit_exec_into_container

kubernetes_audit_hostpath_mount

kubernetes_audit_pod_in_system_namespace

kubernetes_audit_privileged_pod_creation

kubernetes_audit_rbac_permisions_listing

kubernetes_audit_rolebinding_modification

kubernetes_audit_secrets_enumeration

kubernetes_audit_secrets_modified_or_deleted

kubernetes_audit_serviceaccount_creation

kubernetes_audit_sidecar_injection

kubernetes_audit_unauthorized_unauthenticated_actions