heroui logo

GKE Service Account Modified RBAC Objects

Elastic Detection Rules

View Source
Summary
This rule detects write operations on Kubernetes RBAC objects (Roles, ClusterRoles, RoleBindings, ClusterRoleBindings) performed by Google Kubernetes Engine (GKE) service accounts, based on GCP audit logs (gcp.audit). Since service accounts are not typically responsible for managing RBAC, such activity can indicate token abuse or unauthorized privilege escalation. The rule filters for service accounts whose emails match system:serviceaccount:* but excludes known legitimate accounts (e.g., kube-system clusterrole-aggregation-controller and generic-garbage-collector). It triggers when a GCP audit event shows successful actions on RBAC resources including create, delete, patch, or update for clusterroles/roles and their corresponding bindings. The rule maps to MITRE ATT&CK techniques for Privilege Escalation and Account Manipulation (with a subtechnique for container cluster roles), and to the Persistence tactic in some contexts. It requires the GCP Fleet integration with GKE audit logs. For investigation, examine fields such as client.user.email, event.action, and gcp.audit.resource_name, correlate with the workload, recent image changes, or exec activity, and cross-reference with change tickets or GitOps commits. False positives may arise from in-cluster controllers, operators, and CI jobs that reconcile RBAC manifests, so baseline known automation accounts should be reviewed. Remediation includes reverting unauthorized RBAC changes, rotating credentials, and tightening RBAC for the workload.
Categories
  • Cloud
  • Kubernetes
  • Containers
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1098
  • T1098.006
Created: 2026-07-10