Kubernetes Denied Service Account Request via Unusual User Agent
A Kubernetes service account made an unauthorized request to the API server using an unusual user agent, potentially indicating compromised credentials used for resource discovery or lateral movement.
This detection rule identifies suspicious activity within Kubernetes clusters where a service account makes an unauthorized request to the API server, utilizing a user agent that deviates from established patterns. Kubernetes service accounts typically exhibit predictable behavior, and deviations, especially unauthorized requests, can indicate compromised credentials or cluster misconfigurations. Attackers may exploit such access to discover resources within the cluster, facilitating further movement or execution. The rule aims to detect these anomalies by flagging unauthorized API requests from service accounts associated with unusual user agents, potentially signaling security breaches or misconfigurations. The monitored behavior is when an audit log is created by a service account that is denied with an unusual user agent.
Attack Chain
- An attacker gains unauthorized access to a Kubernetes service account's credentials.
- The attacker uses these credentials to send a request to the Kubernetes API server.
- The request targets sensitive information or resources within the cluster.
- The API server denies the request due to insufficient privileges or policy restrictions.
- The request is logged in the Kubernetes audit logs, including the user agent used.
- A detection rule identifies the unauthorized request based on the service account and user agent.
- The security team investigates the alert, looking for further malicious activity.
- The attacker's goal is to enumerate resources and potentially gain further access within the Kubernetes environment.
Impact
A successful attack could allow unauthorized enumeration of Kubernetes resources. The impact is potentially lower due to the request being denied, but the attempt indicates a potential compromise. The blast radius depends on the permissions and access the compromised service account has within the cluster. The primary sector impacted is cloud infrastructure.
Recommendation
- Deploy the Sigma rule
Kubernetes Unusual Service Account User Agentto your SIEM and tune for your environment to detect unusual user agents (rules). - Investigate alerts triggered by the
Kubernetes Unusual Service Account User AgentSigma rule by reviewing the specific service account involved to determine if it was used legitimately or not (rules). - Review the configuration of RBAC policies to ensure service accounts have the minimum necessary permissions, as mentioned in the investigation guide (note).
- Implement enhanced monitoring and alerting for similar unauthorized access attempts to improve detection and response times for future incidents, improving overall cluster security (note).
Detection coverage 2
Kubernetes Unusual Service Account User Agent
mediumDetects unauthorized requests from Kubernetes service accounts with unusual user agents.
Kubernetes Forbid Events with User Agent
lowDetects forbid events in kubernetes audit logs with user agent
Detection queries are available on the platform. Get full rules →