LoFP / an administrator may submit this request as an \"impersonateduser\" to determine what privileges a particular service account has been granted. however, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account.

Techniques

• T1613

Sample rules

Kubernetes Suspicious Self-Subject Review via Unusual User Agent

• source: elastic
• technicques:
  • T1613

Description

This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs via an unusual user agent. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.

Detection logic

event.dataset : "kubernetes.audit_logs" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and (
  kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or
  kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)
) and kubernetes.audit.userAgent:(* and not (*kubernetes/$Format))