Kubernetes API Request Impersonating Privileged Identity
Detects Kubernetes API requests where a user is impersonating a privileged cluster identity such as system:kube-controller-manager, system:admin, system:anonymous, or a member of the system:masters group. These identities have broad cluster-wide permissions including unrestricted access to all secrets, the ability to create tokens for any service account, schedule pods on any node, and modify RBAC policies. An attacker impersonating system:masters gains full cluster-admin equivalent access, while impersonating system:kube-controller-manager grants access to every secret in every namespace and the ability to mint service account tokens for lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/05/05"
3integration = ["kubernetes"]
4maturity = "production"
5updated_date = "2026/05/05"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects Kubernetes API requests where a user is impersonating a privileged cluster identity such as
11system:kube-controller-manager, system:admin, system:anonymous, or a member of the system:masters group. These
12identities have broad cluster-wide permissions including unrestricted access to all secrets, the ability to create
13tokens for any service account, schedule pods on any node, and modify RBAC policies. An attacker impersonating
14system:masters gains full cluster-admin equivalent access, while impersonating system:kube-controller-manager
15grants access to every secret in every namespace and the ability to mint service account tokens for lateral
16movement.
17"""
18false_positives = [
19 """
20 Break-glass admin tooling, security scanners, or approved controllers that legitimately use impersonation with
21 privileged targets may match if not covered by exclusions. Map expected callers and expand `not user.name`
22 filters as needed for your environment.
23 """,
24]
25from = "now-9m"
26index = ["logs-kubernetes.audit_logs-*"]
27language = "kuery"
28license = "Elastic License v2"
29name = "Kubernetes API Request Impersonating Privileged Identity"
30note = """## Triage and analysis
31
32### Investigating Kubernetes API Request Impersonating Privileged Identity
33
34Compare the real actor (user.name, groups, source.ip, user_agent.original) with impersonated
35fields (kubernetes.audit.impersonatedUser.username, kubernetes.audit.impersonatedUser.groups). Confirm whether
36impersonation is authorized for that principal and target identity.
37
38### Possible investigation steps
39
40- Review kubernetes.audit.requestURI, kubernetes.audit.verb, and kubernetes.audit.objectRef for the scope of the
41 operation performed while impersonating.
42- Determine whether the real user or service account should have impersonate rights against the impersonated user
43 or group; inspect RBAC impersonate verb bindings and any recent changes.
44- Correlate with adjacent audit activity (secrets, tokens, RBAC writes, CSR approval) from the same source identity.
45- Hunt for repeated impersonation across namespaces or rapid pivoting after the event.
46
47### Response and remediation
48
49- Revoke or tighten impersonate permissions for unexpected identities; rotate credentials for any account that may
50 have abused impersonation.
51- If unauthorized, treat as cluster-wide credential risk: review secrets exposure, issued tokens, and RBAC drift;
52 engage incident response per policy.
53"""
54references = [
55 "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation",
56]
57risk_score = 73
58rule_id = "abb7bc31-b865-4318-80a9-b9ee4edd57b6"
59severity = "high"
60tags = [
61 "Data Source: Kubernetes",
62 "Domain: Kubernetes",
63 "Use Case: Threat Detection",
64 "Tactic: Privilege Escalation",
65 "Tactic: Defense Evasion",
66 "Resources: Investigation Guide",
67]
68timestamp_override = "event.ingested"
69type = "query"
70query = '''
71data_stream.dataset:kubernetes.audit_logs and
72kubernetes.audit.impersonatedUser.username:(* and not ("eks-event-service:event-controller" or eks\:*)) and
73kubernetes.audit.annotations.authorization_k8s_io/decision:allow and
74kubernetes.audit.verb:(create or delete or get or list or patch or update) and
75(kubernetes.audit.impersonatedUser.username:(admin or cluster-admin or kubernetes-admin or "system:admin" or "system:anonymous" or "system:apiserver" or "system:kube-controller-manager" or "system:kube-proxy" or "system:kube-scheduler" or "system:volume-scheduler" or system\:node\:* or system\:serviceaccount\:kube-system\:*) or kubernetes.audit.impersonatedUser.groups:(cluster-admin or "system:cluster-admins" or "system:masters")) and
76not user.name:(acsService or aksService or masterclient or nodeclient or "system:kube-controller-manager" or "system:kube-scheduler" or arn\:aws\:iam\:*\:role/aws-service-role* or arn\:aws\:sts\:*\:assumed-role/AWSServiceRoleForAmazonEKS* or arn\:aws\:sts\:*\:assumed-role/AWSServiceRoleForAmazonEKSNodegroup* or eks\:* or system\:node\:* or system\:serviceaccount\:kube-system\:*)
77'''
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81
82[[rule.threat.technique]]
83id = "T1134"
84name = "Access Token Manipulation"
85reference = "https://attack.mitre.org/techniques/T1134/"
86
87[rule.threat.tactic]
88id = "TA0004"
89name = "Privilege Escalation"
90reference = "https://attack.mitre.org/tactics/TA0004/"
91
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94
95[[rule.threat.technique]]
96id = "T1134"
97name = "Access Token Manipulation"
98reference = "https://attack.mitre.org/techniques/T1134/"
99
100[rule.threat.tactic]
101id = "TA0005"
102name = "Defense Evasion"
103reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Investigating Kubernetes API Request Impersonating Privileged Identity
Compare the real actor (user.name, groups, source.ip, user_agent.original) with impersonated fields (kubernetes.audit.impersonatedUser.username, kubernetes.audit.impersonatedUser.groups). Confirm whether impersonation is authorized for that principal and target identity.
Possible investigation steps
- Review kubernetes.audit.requestURI, kubernetes.audit.verb, and kubernetes.audit.objectRef for the scope of the operation performed while impersonating.
- Determine whether the real user or service account should have impersonate rights against the impersonated user or group; inspect RBAC impersonate verb bindings and any recent changes.
- Correlate with adjacent audit activity (secrets, tokens, RBAC writes, CSR approval) from the same source identity.
- Hunt for repeated impersonation across namespaces or rapid pivoting after the event.
Response and remediation
- Revoke or tighten impersonate permissions for unexpected identities; rotate credentials for any account that may have abused impersonation.
- If unauthorized, treat as cluster-wide credential risk: review secrets exposure, issued tokens, and RBAC drift; engage incident response per policy.
References
-
This page provides an overview of authentication in Kubernetes, with a focus on authentication to the Kubernetes API. Users in KubernetesAll Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. It is assumed that a cluster-independent service manages normal users in the following ways: an administrator distributing private keys a user store like Keystone or Google Accounts a file with a list of usernames and passwords In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
Read More
Related rules
- Kubernetes Ephemeral Container Added to Pod
- EKS Authentication Configuration Modified
- Kubernetes API Server Proxying Request to Kubelet
- Kubernetes Client Certificate Signing Request Created or Approved
- Kubernetes Admission Webhook Created or Modified