Kubernetes Denied Service Account Request
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/09/13"
3integration = ["kubernetes"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when a service account makes an unauthorized request for resources from the API server. Service
11accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to
12the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may
13have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate
14further movement or execution within the cluster.
15"""
16false_positives = [
17 """
18 Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious
19 problem within the cluster. This behavior should be investigated further.
20 """,
21]
22index = ["logs-kubernetes.*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Kubernetes Denied Service Account Request"
26note = """## Setup
27
28The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
31 "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens",
32]
33risk_score = 47
34rule_id = "63c056a0-339a-11ed-a261-0242ac120002"
35severity = "medium"
36tags = ["Data Source: Kubernetes", "Tactic: Discovery"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset: "kubernetes.audit_logs"
42 and kubernetes.audit.user.username: system\:serviceaccount\:*
43 and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1613"
51name = "Container and Resource Discovery"
52reference = "https://attack.mitre.org/techniques/T1613/"
53
54
55[rule.threat.tactic]
56id = "TA0007"
57name = "Discovery"
58reference = "https://attack.mitre.org/tactics/TA0007/"
Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.
References
-
Written by Ben Lister and Kane Ryans This blog post details the collaboration between NCC Group’s Detection Engineering team and our Containerisation team in tackling detection engineering fo…
Read More -
This page provides an overview of authentication. Users in Kubernetes All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. It is assumed that a cluster-independent service manages normal users in the following ways: an administrator distributing private keys a user store like Keystone or Google Accounts a file with a list of usernames and passwords In this regard, Kubernetes does not have objects which represent normal user accounts.
Read More
Related rules
- Kubernetes Suspicious Self-Subject Review
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Azure Blob Container Access Level Modification
- ESXI Discovery via Find