Kubernetes Service Account Token Access Followed by API Request
Detection of interactive access to a Kubernetes service account token or certificate followed by a Kubernetes API request, potentially indicating credential theft and lateral movement within the cluster.
This threat brief focuses on detecting malicious activity within Kubernetes environments where an attacker gains unauthorized access to service account tokens or certificates and subsequently uses these credentials to make API requests. This activity, often seen after initial container compromise, allows attackers to enumerate resources, escalate privileges, and move laterally within the cluster. The detection is based on a combination of Defend for Containers and Kubernetes audit logs, correlating interactive file access to service account credentials with near-immediate API requests. This technique is relevant for defenders as it highlights a common path for attackers to expand their foothold after compromising an initial container, and potentially pivot to other nodes or services. This activity has been observed in production environments, and is detectable using Elastic Stack version 9.3.0 and later, due to the reintroduction of Defend for Containers integration.
Attack Chain
- An attacker gains initial access to a container within a Kubernetes pod, possibly through exploiting a vulnerability in the application running inside the container.
- The attacker executes a shell within the container using
kubectl execor similar methods, establishing an interactive session. - The attacker accesses the service account token and/or CA certificate located at
/var/run/secrets/kubernetes.io/serviceaccount/tokenand/var/run/secrets/kubernetes.io/serviceaccount/ca.crt. - The attacker uses
curlorkubectlwith the stolen token and CA certificate to interact with the Kubernetes API server. - The attacker enumerates the cluster resources, such as listing pods (
kubectl get pods), secrets (kubectl get secrets), or other sensitive information. - The attacker attempts to escalate privileges by creating privileged pods or modifying RBAC roles.
- The attacker moves laterally within the cluster by leveraging the stolen credentials to access other services or nodes.
- The attacker's final objective can vary but commonly includes data exfiltration, deployment of malicious workloads, or further exploitation of the environment.
Impact
Successful exploitation can lead to complete compromise of the Kubernetes cluster, including unauthorized access to sensitive data, deployment of malicious containers, and denial of service. Depending on the RBAC permissions associated with the compromised service account, the attacker could potentially gain control over the entire cluster. Organizations using vulnerable Kubernetes deployments are at risk, with potential consequences including data breaches, service disruptions, and reputational damage.
Recommendation
- Deploy the Sigma rule "K8s Service Account Token Access Followed by API Request" to your SIEM, tuning the
maxspanvalue based on your environment. - Enable both
cloud_defend.fileandkubernetes.audit_logslog sources to collect the necessary data for this detection (Elastic Stack). - Harden Kubernetes deployments by disabling
automountServiceAccountTokenon pods that do not require it (Kubernetes documentation). - Implement least-privilege RBAC to limit the permissions of service accounts (Kubernetes documentation).
- Monitor network egress from pods for suspicious connections to external destinations, correlating with service account token access (Network monitoring tools).
- Enforce Pod Security Admission to block privileged/interactive shells, restricting exec/attach via RBAC or admission policies (Kubernetes documentation).
Detection coverage 2
K8s Service Account Token Access Followed by API Request
mediumDetects access to service account token or certificate followed by kubernetes API request indicating potential credential access and lateral movement.
K8s API request after file access
lowDetect a kubernetes API request shortly after a file was accessed in a container
Detection queries are available on the platform. Get full rules →