New Kubernetes Service Account Created

Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.

Sigma rule (View on GitHub)

 1title: New Kubernetes Service Account Created
 2id: e31bae15-83ed-473e-bf31-faf4f8a17d36
 3related:
 4    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
 5      type: derived
 6status: test
 7description: |
 8        Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
 9references:
10    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
11author: Leo Tsaousis (@laripping)
12date: 2024-03-26
13tags:
14    - attack.persistence
15    - attack.t1136
16logsource:
17    category: application
18    product: kubernetes
19    service: audit
20detection:
21    selection:
22        verb: 'create'
23        objectRef.resource: 'serviceaccounts'
24    condition: selection
25falsepositives:
26    - Unknown
27level: low

References

Related rules

to-top