there is a potential for false positives if the reading of the service account namespace file is used for legitimate purposes, such as debugging or troubleshooting. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

t1082
T1613
cloud_defend
elastic

Techniques

T1082
T1613

Sample rules

Service Account Namespace Read Detected via Defend for Containers

source: elastic
technicques:
- T1082
- T1613

Description

This rule detects the reading of the service account namespace file inside a container. The service account namespace file is used to identify the namespace of the container in which it is running, and may be used by an adversary to get a better understanding of the container and the services running inside it.

Detection logic

file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
file.path == "/var/run/secrets/kubernetes.io/serviceaccount/namespace" and
process.interactive == true and container.id like "*"