New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
Sigma rule (View on GitHub)
1title: New Kubernetes Service Account Created
2id: e31bae15-83ed-473e-bf31-faf4f8a17d36
3related:
4 - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
5 type: derived
6status: experimental
7description: |
8 Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
9references:
10 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
11author: Leo Tsaousis (@laripping)
12date: 2024/03/26
13tags:
14 - attack.t1136
15logsource:
16 category: application
17 product: kubernetes
18 service: audit
19detection:
20 selection:
21 verb: 'create'
22 objectRef.resource: 'serviceaccounts'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low
References
-
Container service account Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and contai...
Read More
Related rules
- NIM Pass The Hash Tooling Detection
- AWS ElastiCache Security Group Created
- ESXi Account Creation Via ESXCLI
- Suspicious 'Admin' Local User Creation with Net Command
- Default Account Usage