LoFP / unauthorized requests from service accounts are normal and expected behavior. analyze the user agent, pod and other node information to determine if the request is legitimate.

Techniques

• T1613

Sample rules

Kubernetes Denied Service Account Request via Unusual User Agent

• source: elastic
• technicques:
  • T1613

Description

This rule detects when a service account makes an unauthorized request for resources from the API server via an unusual user agent. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.

Detection logic

event.dataset:"kubernetes.audit_logs" and
kubernetes.audit.user.username:system\:serviceaccount\:* and
kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and
kubernetes.audit.userAgent:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*))