<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Service-Account - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/service-account/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 19 Jan 2024 17:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/service-account/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Denied Service Account Request via Unusual User Agent</title><link>https://feed.craftedsignal.io/briefs/2024-01-k8s-service-account-discovery/</link><pubDate>Fri, 19 Jan 2024 17:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-k8s-service-account-discovery/</guid><description>A Kubernetes service account made an unauthorized request to the API server using an unusual user agent, potentially indicating compromised credentials used for resource discovery or lateral movement.</description><content:encoded><![CDATA[<p>This detection rule identifies suspicious activity within Kubernetes clusters where a service account makes an unauthorized request to the API server, utilizing a user agent that deviates from established patterns. Kubernetes service accounts typically exhibit predictable behavior, and deviations, especially unauthorized requests, can indicate compromised credentials or cluster misconfigurations. Attackers may exploit such access to discover resources within the cluster, facilitating further movement or execution. The rule aims to detect these anomalies by flagging unauthorized API requests from service accounts associated with unusual user agents, potentially signaling security breaches or misconfigurations. The monitored behavior is when an audit log is created by a service account that is denied with an unusual user agent.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a Kubernetes service account's credentials.</li>
<li>The attacker uses these credentials to send a request to the Kubernetes API server.</li>
<li>The request targets sensitive information or resources within the cluster.</li>
<li>The API server denies the request due to insufficient privileges or policy restrictions.</li>
<li>The request is logged in the Kubernetes audit logs, including the user agent used.</li>
<li>A detection rule identifies the unauthorized request based on the service account and user agent.</li>
<li>The security team investigates the alert, looking for further malicious activity.</li>
<li>The attacker's goal is to enumerate resources and potentially gain further access within the Kubernetes environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could allow unauthorized enumeration of Kubernetes resources. The impact is potentially lower due to the request being denied, but the attempt indicates a potential compromise. The blast radius depends on the permissions and access the compromised service account has within the cluster. The primary sector impacted is cloud infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Kubernetes Unusual Service Account User Agent</code> to your SIEM and tune for your environment to detect unusual user agents (rules).</li>
<li>Investigate alerts triggered by the <code>Kubernetes Unusual Service Account User Agent</code> Sigma rule by reviewing the specific service account involved to determine if it was used legitimately or not (rules).</li>
<li>Review the configuration of RBAC policies to ensure service accounts have the minimum necessary permissions, as mentioned in the investigation guide (note).</li>
<li>Implement enhanced monitoring and alerting for similar unauthorized access attempts to improve detection and response times for future incidents, improving overall cluster security (note).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>kubernetes</category><category>service-account</category><category>discovery</category></item></channel></rss>