ioc[.]one - OSINT Cyber Threat Intelligence Database

Kubernetes Threat Hunting using API Server Audit Logs

Tags

cmtmf-attack-pattern:

Masquerading Scheduled Task/Job

attack-pattern:

Data Direct Additional Container Cluster Roles - T1098.006 Adversary-In-The-Middle - T1638 Adversary-In-The-Middle - T1557 Container Administration Command - T1609 Container And Resource Discovery - T1613 Container Api - T1552.007 Container Orchestration Job - T1053.007 Container Service - T1543.005 Credentials - T1589.001 Cron - T1053.003 Data Destruction - T1662 Data Destruction - T1485 Deploy Container - T1610 Dns - T1071.004 Dns - T1590.002 Dns Poisoning - T1382 Escape To Host - T1611 Implant Internal Image - T1525 Ip Addresses - T1590.005 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 Steal Application Access Token - T1528 Unsecured Credentials - T1552 Tool - T1588.002 Vulnerabilities - T1588.006 Account Manipulation - T1098 Connection Proxy - T1090 External Remote Services - T1133 Indicator Removal On Host - T1070 Masquerading - T1036 Scheduled Task - T1053 Data Destruction Masquerading

Show in Graph

Common Information

Type	Value
UUID	11474c9b-31f5-458a-82da-ece91a757a2c
Fingerprint	ae3adb913fb32785
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 15, 2025, 11:18 a.m.
Added to db	April 15, 2025, 2:09 p.m.
Last updated	April 17, 2025, 12:09 a.m.
Headline	Kubernetes Threat Hunting using API Server Audit Logs
Title	Kubernetes Threat Hunting using API Server Audit Logs
Detected Hints/Tags/Attributes	121/2/14

Source URLs

	Redirection	Url
Details	Source	https://www.logpoint.com/en/blog/emerging-threats/kubernetes-threat-hunting-using-api-server-audit-logs/
Details	Source	https://malware.news/t/kubernetes-threat-hunting-using-api-server-audit-logs/93191

URL Provider

Details	Provider	Source level domain
Details	logpoint.com	www.logpoint.com
Details	malware.news	malware.news

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	158	✔	Malware Analysis, News and Indicators - Latest topics	https://malware.news/latest.rss	2024-08-30 22:08
Details	327	✔	Logpoint	https://www.logpoint.com/en/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	MITRE ATT&CK Techniques	226		T1133
Details	MITRE ATT&CK Techniques	13		T1609
Details	MITRE ATT&CK Techniques	19		T1610
Details	MITRE ATT&CK Techniques	1		T1053.007
Details	MITRE ATT&CK Techniques	6		T1525
Details	MITRE ATT&CK Techniques	2		T1098.006
Details	MITRE ATT&CK Techniques	16		T1611
Details	MITRE ATT&CK Techniques	270		T1070
Details	MITRE ATT&CK Techniques	406		T1036
Details	MITRE ATT&CK Techniques	2		T1552.007
Details	MITRE ATT&CK Techniques	49		T1528
Details	MITRE ATT&CK Techniques	5		T1613
Details	MITRE ATT&CK Techniques	29		T1557
Details	MITRE ATT&CK Techniques	115		T1485