Kubernetes service account token created in container
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
A kubectl
command was used to create a new service account token, potentially to establish persistence or escalate privileges.
Goal
Detect the use of kubectl
commands inside a container to create a new service account token.
Strategy
This detection triggers when kubectl
is executed with specific arguments related to creating a new service account token.
Triage and response
- Identify the purpose and scope of the service account.
- Confirm if the service account token being created is authorized.
- Determine the resources involved, such as new containers.
- Initiate the incident response process.
- Remediate compromised resources and repair the root cause.
Requires Agent version 7.27 or greater