Kubernetes Anonymous User Bound to ClusterRole
Detects creation of a ClusterRoleBinding that assigns permissions to "system:anonymous" or "system:unauthenticated", effectively allowing unauthenticated access to Kubernetes resources and potentially enabling cluster compromise.
Rule type: query
Rule indices:
- logs-kubernetes.audit_logs-*
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: 100
References:
- https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control
Tags:
- Data Source: Kubernetes
- Domain: Kubernetes
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Privilege Escalation
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
event.dataset:"kubernetes.audit_logs" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
kubernetes.audit.objectRef.resource:"clusterrolebindings" and
kubernetes.audit.verb:"create" and (
kubernetes.audit.responseObject.subjects.name:("system:anonymous" or "system:unauthenticated") or
kubernetes.audit.requestObject.subjects.name:("system:anonymous" or "system:unauthenticated")
)
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- Id: T1098
- Reference URL: https://attack.mitre.org/techniques/T1133/
Sub Technique:
- Name: Additional Container Cluster Roles
- Id: T1098.006
- Reference URL: https://attack.mitre.org/techniques/T1098/006/
Framework: MITRE ATT&CK
Tactic:
- Name: Privilege Escalation
- Id: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Account Manipulation
- Id: T1098
- Reference URL: https://attack.mitre.org/techniques/T1133/
Sub Technique:
- Name: Additional Container Cluster Roles
- Id: T1098.006
- Reference URL: https://attack.mitre.org/techniques/T1098/006/