Kubernetes Admission Webhook Created or Modified

Last updated 7 days ago on 2026-05-05

Created 7 days ago on 2026-05-05

About

Detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities. Admission webhooks intercept every API request matching their rules before persistence, giving an attacker powerful capabilities: injecting malicious sidecars into every new pod via a mutating webhook, blocking security tooling deployments via a validating webhook, or silently exfiltrating pod specifications to an external server. Webhook manipulation is a stealthy persistence and defense evasion technique because the webhook configuration itself looks benign in kubectl output while actively modifying or intercepting all matching Kubernetes API traffic.

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Event Triggered Execution (T1546)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Cluster operators and GitOps automation may legitimately install or upgrade admission controllers (e.g. cert-manager, Gatekeeper, Kyverno, service mesh components). Validate change tickets and approved controllers before tuning.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗kubernetes.audit.objectRef.resource:("mutatingwebhookconfigurations" or "validatingwebhookconfigurations") and
kubernetes.audit.verb:("create" or "update" or "patch" or "delete") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and 
user.name:(* and not 
  (system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or aksService or masterclient or nodeclient or
  system\:serviceaccount\:gke-managed-system\:* or
  system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or
  system\:serviceaccount\:kyverno\:* or
  system\:serviceaccount\:*\:*-operator)
) and
kubernetes.audit.objectRef.name:(* and not (pod-identity-webhook or vpc-resource-mutating-webhook or eks-* or gke-*))

Install detection rules in Elastic Security

Detect Kubernetes Admission Webhook Created or Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).