Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
7 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
Kubernetes - AGENT |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An unusual process opened a Kubernetes service account file for the first time.
Attacker's Goals
Utilize the Kubernetes service account files to perform additional actions on the cluster.
Investigative actions
- Check the exposed Kubernetes service account usage in the cluster.
- Check if any other suspicious activity was performed inside the pod.
Variations
Unusual Kubernetes service account file read within a new podKubernetes service account file read
Suspicious Kubernetes service account file read from the projected volume path
Suspicious Kubernetes service account token read by an unusual process
Suspicious Kubernetes service account file read by an unusual process
Suspicious Kubernetes service account token read