Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and event.action:"io.k8s.core.v1.pods.create" and gcp.audit.request.metadata.namespace:"kube-system" and gcp.audit.request.spec.serviceAccountName:( attachdetach-controller or certificate-controller or cloud-provider or clusterrole-aggregation-controller or cronjob-controller or daemon-set-controller or deployment-controller or disruption-controller or endpoint-controller or expand-controller or generic-garbage-collector or horizontal-pod-autoscaler or job-controller or namespace-controller or node-controller or persistent-volume-binder or pod-garbage-collector or pv-protection-controller or pvc-protection-controller or replicaset-controller or replication-controller or resourcequota-controller or root-ca-cert-publisher or route-controller or service-account-controller or service-controller or statefulset-controller or ttl-controller )
Install detection rules in Elastic Security
Detect GKE Suspicious Assignment of Controller Service Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).