Persistence (TA0003)(external, opens in a new tab or window)
Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and event.action:( "io.k8s.authorization.rbac.v1.roles.create" or "io.k8s.authorization.rbac.v1.roles.update" or "io.k8s.authorization.rbac.v1.roles.patch" or "io.k8s.authorization.rbac.v1.clusterroles.create" or "io.k8s.authorization.rbac.v1.clusterroles.update" or "io.k8s.authorization.rbac.v1.clusterroles.patch" ) and not source.ip:("::1" or "127.0.0.1") and not ( client.user.email:"system:serviceaccount:kube-system:clusterrole-aggregation-controller" and gcp.audit.request.metadata.name:(admin or edit) and event.action:"io.k8s.authorization.rbac.v1.clusterroles.patch" ) and not ( client.user.email:"system:addon-manager" and event.action:( "io.k8s.authorization.rbac.v1.roles.patch" or "io.k8s.authorization.rbac.v1.clusterroles.patch" ) ) and ( gcp.audit.request.rules.verbs:("*" or escalate or bind or impersonate) or ( gcp.audit.request.rules.verbs:("*" or create or patch or update) and gcp.audit.request.rules.resources:( "*" or clusterroles or clusterrolebindings or roles or rolebindings or pods/exec or serviceaccounts/token or nodes/proxy or daemonsets ) ) or ( gcp.audit.request.rules.verbs:("*" or get or list) and gcp.audit.request.rules.resources:("*" or secrets) ) or gcp.audit.response.rules.verbs:("*" or escalate or bind or impersonate) or ( gcp.audit.response.rules.verbs:("*" or create or patch or update) and gcp.audit.response.rules.resources:( "*" or clusterroles or clusterrolebindings or roles or rolebindings or pods/exec or serviceaccounts/token or nodes/proxy or daemonsets ) ) or ( gcp.audit.response.rules.verbs:("*" or get or list) and gcp.audit.response.rules.resources:("*" or secrets) ) )
Install detection rules in Elastic Security
Detect GKE Creation or Modification of Sensitive Role in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).