there is a potential for false positives if the service account token or certificate is used for legitimate purposes, such as debugging or troubleshooting. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

t1552
cloud_defend
elastic

Techniques

T1552

Sample rules

Service Account Token or Certificate Read Detected via Defend for Containers

source: elastic
technicques:
- T1552

Description

This rule detects the reading of the service account token or certificate inside a container. The service account token or certificate is used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries to gain access to the cluster.

Detection logic

file where host.os.type == "linux" and event.type == "change" and event.action == "open" and file.path in (
  "/var/run/secrets/kubernetes.io/serviceaccount/token", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
) and
process.interactive == true and container.id like "*"