{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service-account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kubernetes"],"_cs_severities":["low"],"_cs_tags":["kubernetes","service-account","discovery"],"_cs_type":"advisory","_cs_vendors":["Kubernetes"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious activity within Kubernetes clusters where a service account makes an unauthorized request to the API server, utilizing a user agent that deviates from established patterns. Kubernetes service accounts typically exhibit predictable behavior, and deviations, especially unauthorized requests, can indicate compromised credentials or cluster misconfigurations. Attackers may exploit such access to discover resources within the cluster, facilitating further movement or execution. The rule aims to detect these anomalies by flagging unauthorized API requests from service accounts associated with unusual user agents, potentially signaling security breaches or misconfigurations. The monitored behavior is when an audit log is created by a service account that is denied with an unusual user agent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Kubernetes service account's credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these credentials to send a request to the Kubernetes API server.\u003c/li\u003e\n\u003cli\u003eThe request targets sensitive information or resources within the cluster.\u003c/li\u003e\n\u003cli\u003eThe API server denies the request due to insufficient privileges or policy restrictions.\u003c/li\u003e\n\u003cli\u003eThe request is logged in the Kubernetes audit logs, including the user agent used.\u003c/li\u003e\n\u003cli\u003eA detection rule identifies the unauthorized request based on the service account and user agent.\u003c/li\u003e\n\u003cli\u003eThe security team investigates the alert, looking for further malicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker's goal is to enumerate resources and potentially gain further access within the Kubernetes environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could allow unauthorized enumeration of Kubernetes resources. The impact is potentially lower due to the request being denied, but the attempt indicates a potential compromise. The blast radius depends on the permissions and access the compromised service account has within the cluster. The primary sector impacted is cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Unusual Service Account User Agent\u003c/code\u003e to your SIEM and tune for your environment to detect unusual user agents (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the \u003ccode\u003eKubernetes Unusual Service Account User Agent\u003c/code\u003e Sigma rule by reviewing the specific service account involved to determine if it was used legitimately or not (rules).\u003c/li\u003e\n\u003cli\u003eReview the configuration of RBAC policies to ensure service accounts have the minimum necessary permissions, as mentioned in the investigation guide (note).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for similar unauthorized access attempts to improve detection and response times for future incidents, improving overall cluster security (note).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T17:30:00Z","date_published":"2024-01-19T17:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-k8s-service-account-discovery/","summary":"A Kubernetes service account made an unauthorized request to the API server using an unusual user agent, potentially indicating compromised credentials used for resource discovery or lateral movement.","title":"Kubernetes Denied Service Account Request via Unusual User Agent","url":"https://feed.craftedsignal.io/briefs/2024-01-k8s-service-account-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Service-Account","version":"https://jsonfeed.org/version/1.1"}