Service Account Token or Certificate Access Followed by Kubernetes API Request

Last updated 7 days ago on 2026-01-27

Created 13 days ago on 2026-01-21

About

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the access to the service account token or certificate followed by the execution of a direct interactive Kubernetes API request. An adversary may need to access the service account token or certificate to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.

Tags

Data Source: Elastic Defend for ContainersData Source: KubernetesDomain: ContainerDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: ExecutionTactic: Credential AccessTactic: DiscoveryLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Unsecured Credentials (T1552)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

False Positive Examples

There is a potential for false positives if the access to the service account token or certificate is used for legitimate purposes, such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. There is a risk of false positives if there are several containers named the same, as the rule may correlate the request to the wrong container.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-cloud_defend.file*logs-kubernetes.audit_logs-*

Related Integrations

cloud_defend(external, opens in a new tab or window)

kubernetes(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗sequence with maxspan=60s
  [file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
   file.path in ("/var/run/secrets/kubernetes.io/serviceaccount/token", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") and
   process.interactive == true and container.id like "*"] by orchestrator.resource.name
  [any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted")] by `kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name`

Install detection rules in Elastic Security

Detect Service Account Token or Certificate Access Followed by Kubernetes API Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).