Name:Amazon EKS Kubernetes Pod scan detection id:dbfca1dd-b8e5-4ba4-be0e-e565e5d62002 version:3 date:2024-10-17 author:Rod Soto, Splunk status:experimental type:Hunting Description:The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster. Data_source:
search:`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`
how_to_implement:You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. known_false_positives:Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Scanning Activity' asset_type:Amazon EKS Kubernetes cluster Pod confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1526' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'user.username' - 'verb' - 'objectRef.resource' - 'requestURI' - 'source' - 'sourceIPs{}' - 'responseStatus.reason' - 'responseStatus.code' - 'userAgent' - 'src_ip' - 'user.groups{}' risk_score:25 security_domain:threat
