Skip to content

Hide Navigation Hide TOC

Azure Kubernetes Admission Controller (a61a3c56-4ce2-4351-a079-88ae4cbd2b58)

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Cluster A Galaxy A Cluster B Galaxy B Level
Azure Kubernetes Admission Controller (a61a3c56-4ce2-4351-a079-88ae4cbd2b58) Sigma-Rules Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Azure Kubernetes Admission Controller (a61a3c56-4ce2-4351-a079-88ae4cbd2b58) Sigma-Rules Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
Azure Kubernetes Admission Controller (a61a3c56-4ce2-4351-a079-88ae4cbd2b58) Sigma-Rules Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern 2