Suspicious Kubernetes API calls indicating permission discovery
Description
AlphaSOC detected Kubernetes API calls indicating permission discovery activities. This implies that an authenticated user is querying their permissions to assess whether specific actions can be performed on particular resources. This may be indicative of an adversary attempting to find privilege escalation paths and locate accessible cluster resources.
Impact
Permission discovery enables adversaries to identify access levels across the cluster, identify misconfigurations, and target accounts with elevated privileges. This reconnaissance phase can lead to privilege escalation, unauthorized access to sensitive data, and potential cluster compromise.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or namespace |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Kubernetes audit logs to identify the source of permission discovery attempts. Analyze the specific API calls made and resources accessed. Verify if the activity originates from authorized users or applications. If unauthorized activity is confirmed, rotate compromised credentials, and review RBAC configurations.
Known False Positives
- Authorized users reviewing their access levels
- Applications performing startup permission checks