Kubernetes Suspicious Self-Subject Review via Unusual User Agent
The rule detects when a service account or node attempts to enumerate its permissions using selfsubjectaccessreview/rulesreview APIs with an unusual user agent, potentially indicating credential compromise and reconnaissance in a Kubernetes cluster.
This detection rule identifies suspicious behavior within Kubernetes environments where service accounts or nodes attempt to enumerate their own permissions using the selfsubjectaccessreview or selfsubjectrulesreview APIs with an unusual user agent. This activity is considered anomalous for non-human identities like service accounts and nodes, suggesting a potential compromise. An attacker might leverage compromised credentials or tokens to assess their privileges within the cluster, enabling further movement or execution. The rule focuses on detecting unusual user agents associated with these API calls, providing an alert when such activity is observed. This activity is useful for attackers after initial compromise, as it allows them to determine the scope of their access in the cluster. The rule was last updated on March 3, 2026.
Attack Chain
- An attacker gains initial access to a Kubernetes cluster by compromising a service account or node.
- The attacker uses the compromised credentials to authenticate to the Kubernetes API server.
- The attacker attempts to determine the permissions associated with the compromised account.
- The attacker sends a
selfsubjectaccessrevieworselfsubjectrulesreviewAPI request to the Kubernetes API server. - The API request uses an unusual user agent, deviating from typical Kubernetes client tools.
- The Kubernetes API server processes the request and responds with the access rights of the service account or node.
- The attacker analyzes the API response to identify accessible resources and potential targets for lateral movement.
- Based on the discovered permissions, the attacker performs further actions, such as deploying malicious containers, accessing sensitive data, or escalating privileges.
Impact
A successful attack allows an adversary to map out the permissions of a compromised service account or node within a Kubernetes cluster. This reconnaissance enables them to identify potential targets for lateral movement, privilege escalation, or data exfiltration. The impact is a loss of confidentiality and integrity, as the attacker can leverage the discovered permissions to compromise sensitive resources within the cluster. Depending on the compromised role, attackers can potentially impact all workloads managed by the cluster.
Recommendation
- Deploy the Sigma rule
Kubernetes Suspicious Self-Subject Review via Unusual User Agentto your SIEM and tune for your environment, focusing on common, legitimate user agents to reduce false positives. - Investigate any alerts generated by the Sigma rule to determine if a service account or node has been compromised and is attempting to enumerate its own permissions.
- Review the Kubernetes audit logs (referenced by the rule index
logs-kubernetes.audit_logs-*) to identify the source of the API request and the specific user agent used. - Implement network segmentation and access controls to limit the ability of compromised identities to interact with sensitive resources or other parts of the cluster.
- Monitor Kubernetes audit logs for API calls to
selfsubjectaccessreviewsandselfsubjectrulesreviews(as mentioned in the rule description) to identify potentially malicious activity.
Detection coverage 2
Kubernetes Suspicious Self-Subject Review via Unusual User Agent
lowDetects service accounts or nodes enumerating permissions via selfsubjectaccessreview/rulesreview APIs with unusual user agents, indicating potential reconnaissance post-compromise.
Kubernetes Service Account Impersonation with Unusual User Agent
lowDetects attempts to impersonate service accounts while using an unusual user agent, potentially indicating malicious intent.
Detection queries are available on the platform. Get full rules →