Techniques
Sample rules
Service Account Token or Certificate Read Detected via Defend for Containers
- source: elastic
- technicques:
- T1552
Description
This rule detects the reading of the service account token or certificate inside a container. The service account token or certificate is used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries to gain access to the cluster.
Detection logic
any where host.os.type == "linux" and process.interactive == true and container.id like "*" and (
(event.category == "file" and event.type == "change" and event.action == "open" and
file.path in (
"/var/run/secrets/kubernetes.io/serviceaccount/token",
"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"/run/secrets/kubernetes.io/serviceaccount/token",
"/run/secrets/kubernetes.io/serviceaccount/ca.crt"
)) or
(event.category == "process" and event.type == "start" and event.action == "exec" and
(
process.name in ("cat", "head", "tail", "more", "less", "sed", "awk") or
process.args in (
"cat", "/bin/cat", "/usr/bin/cat", "/usr/local/bin/cat",
"head", "/bin/head", "/usr/bin/head", "/usr/local/bin/head",
"tail", "/bin/tail", "/usr/bin/tail", "/usr/local/bin/tail",
"more", "/bin/more", "/usr/bin/more", "/usr/local/bin/more",
"less", "/bin/less", "/usr/bin/less", "/usr/local/bin/less",
"sed", "/bin/sed", "/usr/bin/sed", "/usr/local/bin/sed",
"awk", "/bin/awk", "/usr/bin/awk", "/usr/local/bin/awk"
)
) and process.args like (
"*/run/secrets/kubernetes.io/serviceaccount/token*",
"*/run/secrets/kubernetes.io/serviceaccount/ca.crt*"
))
)