Kubernetes Denied Service Account Request
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/09/13"
3integration = ["kubernetes"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when a service account makes an unauthorized request for resources from the API server. Service
11accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to
12the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may
13have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate
14further movement or execution within the cluster.
15"""
16false_positives = [
17 """
18 Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious
19 problem within the cluster. This behavior should be investigated further.
20 """,
21]
22index = ["logs-kubernetes.*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Kubernetes Denied Service Account Request"
26note = """## Setup
27
28The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
31 "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens",
32]
33risk_score = 47
34rule_id = "63c056a0-339a-11ed-a261-0242ac120002"
35severity = "medium"
36tags = ["Data Source: Kubernetes", "Tactic: Discovery"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset: "kubernetes.audit_logs"
42 and kubernetes.audit.user.username: system\:serviceaccount\:*
43 and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1613"
51name = "Container and Resource Discovery"
52reference = "https://attack.mitre.org/techniques/T1613/"
53
54
55[rule.threat.tactic]
56id = "TA0007"
57name = "Discovery"
58reference = "https://attack.mitre.org/tactics/TA0007/"
Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.
References
-
Written by Ben Lister and Kane Ryans This blog post details the collaboration between NCC Group’s Detection Engineering team and our Containerisation team in tackling detection engineering for Kube...
Read More -
This page provides an overview of authentication. Users in Kubernetes All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. It is assumed that a cluster-independent service manages normal users in the following ways: an administrator distributing private keys a user store like Keystone or Google Accounts a file with a list of usernames and passwords In this regard, Kubernetes does not have objects which represent normal user accounts.
Read More
Related rules
- Kubernetes Suspicious Self-Subject Review
- Azure Blob Container Access Level Modification
- Enumeration of Users or Groups via Built-in Commands
- Hping Process Activity
- Kubernetes Anonymous Request Authorized