Unusual Kubernetes service account file read

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

7 Days

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Kubernetes - AGENT

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Informational

Description

An unusual process opened a Kubernetes service account file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.

Variations

Unusual Kubernetes service account file read within a new pod

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Informational

Description

An unusual process opened a Kubernetes service account file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.


Kubernetes service account file read

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Informational

Description

An unusual process opened a Kubernetes service account file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.


Suspicious Kubernetes service account file read from the projected volume path

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Medium

Description

An unusual process opened a Kubernetes service account file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.


Suspicious Kubernetes service account token read by an unusual process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Medium

Description

An unusual process opened the Kubernetes service account token file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.


Suspicious Kubernetes service account file read by an unusual process

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Low

Description

An unusual process opened a Kubernetes service account file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.


Suspicious Kubernetes service account token read

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials: Credentials In Files (T1552.001)

Severity

Low

Description

An unusual process opened the Kubernetes service account token file for the first time.

Attacker's Goals

Utilize the Kubernetes service account files to perform additional actions on the cluster.

Investigative actions

  • Check the exposed Kubernetes service account usage in the cluster.
  • Check if any other suspicious activity was performed inside the pod.