This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.
Rule type: query
Risk score: 47
Runs every: 5 minutes
Maximum alerts per execution: 100
- Continuous Monitoring
- Discovery Added (Elastic Stack release): 8.4.0
Last modified (Elastic Stack release): 8.4.0
Rule authors: Elastic
Rule license: Elastic License v2
An administrator may submit this request as an "impersonatedUser" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account.
kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)