Skip to content
Threat Feed
low advisory

Kubernetes Suspicious Self-Subject Review via Unusual User Agent

The rule detects when a service account or node attempts to enumerate its permissions using selfsubjectaccessreview/rulesreview APIs with an unusual user agent, potentially indicating credential compromise and reconnaissance in a Kubernetes cluster.

This detection rule identifies suspicious behavior within Kubernetes environments where service accounts or nodes attempt to enumerate their own permissions using the selfsubjectaccessreview or selfsubjectrulesreview APIs with an unusual user agent. This activity is considered anomalous for non-human identities like service accounts and nodes, suggesting a potential compromise. An attacker might leverage compromised credentials or tokens to assess their privileges within the cluster, enabling further movement or execution. The rule focuses on detecting unusual user agents associated with these API calls, providing an alert when such activity is observed. This activity is useful for attackers after initial compromise, as it allows them to determine the scope of their access in the cluster. The rule was last updated on March 3, 2026.

Attack Chain

  1. An attacker gains initial access to a Kubernetes cluster by compromising a service account or node.
  2. The attacker uses the compromised credentials to authenticate to the Kubernetes API server.
  3. The attacker attempts to determine the permissions associated with the compromised account.
  4. The attacker sends a selfsubjectaccessreview or selfsubjectrulesreview API request to the Kubernetes API server.
  5. The API request uses an unusual user agent, deviating from typical Kubernetes client tools.
  6. The Kubernetes API server processes the request and responds with the access rights of the service account or node.
  7. The attacker analyzes the API response to identify accessible resources and potential targets for lateral movement.
  8. Based on the discovered permissions, the attacker performs further actions, such as deploying malicious containers, accessing sensitive data, or escalating privileges.

Impact

A successful attack allows an adversary to map out the permissions of a compromised service account or node within a Kubernetes cluster. This reconnaissance enables them to identify potential targets for lateral movement, privilege escalation, or data exfiltration. The impact is a loss of confidentiality and integrity, as the attacker can leverage the discovered permissions to compromise sensitive resources within the cluster. Depending on the compromised role, attackers can potentially impact all workloads managed by the cluster.

Recommendation

  • Deploy the Sigma rule Kubernetes Suspicious Self-Subject Review via Unusual User Agent to your SIEM and tune for your environment, focusing on common, legitimate user agents to reduce false positives.
  • Investigate any alerts generated by the Sigma rule to determine if a service account or node has been compromised and is attempting to enumerate its own permissions.
  • Review the Kubernetes audit logs (referenced by the rule index logs-kubernetes.audit_logs-*) to identify the source of the API request and the specific user agent used.
  • Implement network segmentation and access controls to limit the ability of compromised identities to interact with sensitive resources or other parts of the cluster.
  • Monitor Kubernetes audit logs for API calls to selfsubjectaccessreviews and selfsubjectrulesreviews (as mentioned in the rule description) to identify potentially malicious activity.

Detection coverage 2

Kubernetes Suspicious Self-Subject Review via Unusual User Agent

low

Detects service accounts or nodes enumerating permissions via selfsubjectaccessreview/rulesreview APIs with unusual user agents, indicating potential reconnaissance post-compromise.

sigma tactics: discovery techniques: T1613 sources: network_connection, kubernetes

Kubernetes Service Account Impersonation with Unusual User Agent

low

Detects attempts to impersonate service accounts while using an unusual user agent, potentially indicating malicious intent.

sigma tactics: discovery techniques: T1613 sources: network_connection, kubernetes

Detection queries are available on the platform. Get full rules →