Techniques
Sample rules
Kubernetes Service Account Token Created via TokenRequest API
- source: elastic
- technicques:
- T1552
Description
Detects the creation of a Kubernetes service account token through the TokenRequest API by a non-system identity. The TokenRequest API allows users and workloads to programmatically generate short-lived tokens for any service account they have create permissions on, without accessing the filesystem or the mounted projected token. Attackers who have gained initial access to a cluster can abuse this API to mint tokens for more privileged service accounts, pivot to cloud provider resources via IRSA/workload identity, or generate long-lived tokens that persist beyond pod termination. Unlike mounted service account tokens which are detectable through file access monitoring, tokens created via the TokenRequest API leave no filesystem footprint, they are only visible in Kubernetes audit logs as a create verb on the serviceaccounts/token subresource. This rule excludes legitimate system components such as the kubelet, kube-controller-manager, and cloud provider managed identities (EKS, AKS, GKE) that routinely create tokens for pod lifecycle management.
Detection logic
data_stream.dataset:"kubernetes.audit_logs" and
kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:"serviceaccounts" and
kubernetes.audit.objectRef.subresource:"token" and
user.name:(* and not
(system\:kube-controller-manager or
system\:kube-scheduler or
system\:node\:* or
system\:serviceaccount\:kube-system\:* or
eks\:* or
aksService or
aks-service or
masterclient or
nodeclient or
system\:serviceaccount\:gke-managed-system\:* or
system\:serviceaccount\:gke-connect\:* or
system\:serviceaccount\:anthos-identity-service\:* or
system\:gke-controller-manager or
system\:serviceaccount\:tigera-operator\:* or
system\:serviceaccount\:calico-system\:*))