New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
Sigma rule (View on GitHub)
1title: New Kubernetes Service Account Created
2id: e31bae15-83ed-473e-bf31-faf4f8a17d36
3related:
4 - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
5 type: derived
6status: test
7description: |
8 Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
9references:
10 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
11author: Leo Tsaousis (@laripping)
12date: 2024-03-26
13tags:
14 - attack.persistence
15 - attack.t1136
16logsource:
17 category: application
18 product: kubernetes
19 service: audit
20detection:
21 selection:
22 verb: 'create'
23 objectRef.resource: 'serviceaccounts'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low
References
-
Container service account Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and contai...
Read More
Related rules
- AWS ElastiCache Security Group Created
- Suspicious 'Admin' Local User Creation with Net Command
- Suspicious SQL Query
- Windows LAPS Credential Dump From Entra ID
- Kapeka Backdoor Configuration Persistence