Skip to content

Hide Navigation Hide TOC

RBAC Permission Enumeration Attempt (84b777bd-c946-4d17-aa2e-c39f5a454325)

Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.

Cluster A Galaxy A Cluster B Galaxy B Level
RBAC Permission Enumeration Attempt (84b777bd-c946-4d17-aa2e-c39f5a454325) Sigma-Rules Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2) Attack Pattern 1
RBAC Permission Enumeration Attempt (84b777bd-c946-4d17-aa2e-c39f5a454325) Sigma-Rules Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 1
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe) Attack Pattern 2