Kubernetes CoreDNS or Kube-DNS Configuration Modified

Last updated 8 days ago on 2026-05-07

Created 8 days ago on 2026-05-07

About

Detects modifications to the CoreDNS or kube-dns ConfigMap in the kube-system namespace. These ConfigMaps control cluster DNS resolution for all pods. An attacker who modifies the CoreDNS Corefile can redirect internal service DNS names to attacker-controlled IP addresses, enabling man-in-the-middle attacks against the Kubernetes API server, database services, and other internal endpoints. Pods that resolve service names via cluster DNS will transparently connect to the attacker instead of the legitimate service, allowing interception of service account tokens, database credentials, and API traffic. DNS poisoning at the cluster level is particularly dangerous because it affects every pod in every namespace simultaneously and does not require any modification to the victim workloads. CoreDNS configuration changes are rare in normal operations and any unexpected modification should be investigated immediately.

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: ImpactLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Data Manipulation (T1565)(external, opens in a new tab or window)

False Positive Examples

Cluster administrators may legitimately update CoreDNS configuration for forwarding, stub domains, or cluster DNS troubleshooting. Baseline approved operators and automation identities; tune exclusions for known change pipelines.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.objectRef.resource:"configmaps" and
kubernetes.audit.objectRef.name:("coredns" or "kube-dns" or "coredns-custom") and
kubernetes.audit.objectRef.namespace:"kube-system" and
kubernetes.audit.verb:("update" or "patch" or "delete") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and 
not user.name:(
  system\:serviceaccount\:kube-system\:coredns or
  system\:serviceaccount\:kube-system\:kube-dns or
  system\:node\:* or
  eks\:* or aksService or acsService
)

Install detection rules in Elastic Security

Detect Kubernetes CoreDNS or Kube-DNS Configuration Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).