Defense Evasion: Manually Deleted Certificate Signing Request (CSR)

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

Someone manually deleted a certificate signing request (CSR). CSRs are automatically removed by a garbage collection controller, but malicious actors might manually delete them to evade detection. If the deleted CSR was for an approved and issued certificate, the potentially malicious actor now has an additional authentication method to access the cluster. The permissions associated with the certificate vary depending on which subject they included, but can be highly privileged. Kubernetes does not support certificate revocation. For more details, see the log message for this alert.

Event Threat Detection is the source of this finding.

How to respond

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

To respond to this finding, do the following:

  1. Review the audit logs in Cloud Logging and additional alerts for other events related to this CSR to determine if the CSR was approved and if the CSR creation was expected activity by the principal.
  2. Determine whether there are other signs of malicious activity by the principal in the audit logs in Cloud Logging. For example:
    • Was the principal who deleted the CSR different from the one who created or approved it?
    • Has the principal tried requesting, creating, approving, or deleting other CSRs?
  3. If a CSR approval was not expected, or is determined to be malicious, the cluster will require a credential rotation to invalidate the certificate. Review the guidance for performing a rotation of your cluster credentials.

What's next