INFO
Source
Tracee
ID
TRC-8
Version
0.1.0
Date
28 Jun 2022

K8s Service Account Token Use Detected

The Kubernetes service account token file was read on your container. This token is used to communicate with the K8S API server, Adversaries may try and communicate with the API server to gather information/credentials, or even run more containers and laterally expand their grip on your systems.

MITRE ATT&CK

Credential Access: Credentials from Password Stores

Rego Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package tracee.TRC_8

import data.tracee.helpers

__rego_metadoc__ := {
	"id": "TRC-8",
	"version": "0.1.0",
	"name": "K8S Service Account Token Use Detected",
	"description": "The Kubernetes service account token file was read on your container. This token is used to communicate with the K8S API server, Adversaries may try and communicate with the API server to gather information/credentials, or even run more containers and laterally expand their grip on your systems.",
	"tags": ["container"],
	"properties": {
		"Severity": 0,
		"MITRE ATT&CK": "Credential Access: Credentials from Password Stores",
	},
}

eventSelectors := [{
	"source": "tracee",
	"name": "security_file_open",
	"origin": "container",
}]

tracee_selected_events[eventSelector] {
	eventSelector := eventSelectors[_]
}

tracee_match {
	input.eventName == "security_file_open"

	flags = helpers.get_tracee_argument("flags")
	helpers.is_file_read(flags)

	pathname := helpers.get_tracee_argument("pathname")
	contains(pathname, "secrets/kubernetes.io/serviceaccount")
	endswith(pathname, "token")

	process_names_allowlist := {"flanneld", "kube-proxy", "etcd", "kube-apiserver", "coredns", "kube-controller", "kubectl"}
	not process_names_allowlist[input.processName]
}