Service Account Token or Certificate Access Followed by Kubernetes API Request
Elastic Detection Rules
View SourceSummary
The rule detects unauthorized access to Kubernetes service account tokens or certificates, particularly when followed by interactive Kubernetes API requests. This scenario can indicate an adversary's attempts to harvest credentials to access the Kubernetes API server, perform reconnaissance, and possibly execute lateral movements within the cluster. The detection mechanism leverages Kubernetes audit logs and file access events, particularly monitoring interactions with sensitive file paths that store service account tokens and certificates. A sequence-based approach is used to correlate file accesses and API requests based on timestamps and user actions. False positives can occur if legitimate administrative actions trigger alerts. Investigation requires a thorough review of Kubernetes events, RBAC bindings, and associated audit logs.
Categories
- Kubernetes
- Containers
- Cloud
- Linux
Data Sources
- Kernel
- Process
- Cloud Service
- Application Log
ATT&CK Techniques
- T1059
- T1059.004
- T1552
- T1552.001
- T1613
Created: 2026-01-21