T1098.006

Additional Container Cluster Roles

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where ABAC is in use, an adversary may modify a Kubernetes ABAC policy to give the target account additional permissions. This technique may also be used in conjunction with cloud-based RBAC assignments in managed Kubernetes services such as GKE, EKS, and AKS.

Microsoft Sentinel / Defender

kusto

// Detect creation or modification of Kubernetes RBAC bindings and privilege escalation in container clusters
// Covers Azure Kubernetes Service (AKS) via AzureActivity and AzureDiagnostics, plus Defender for Containers
let SuspiciousRBACOperations = dynamic([
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/write",
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/write",
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/write",
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/write"
]);
let HighPrivilegeRoles = dynamic([
  "cluster-admin", "admin", "edit", "system:masters"
]);
// AKS Control Plane Audit Logs
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "kube-audit" or Category == "kube-audit-admin"
| extend LogEntry = parse_json(log_s)
| extend
    Verb = tostring(LogEntry.verb),
    Resource = tostring(LogEntry.objectRef.resource),
    ResourceName = tostring(LogEntry.objectRef.name),
    Namespace = tostring(LogEntry.objectRef.namespace),
    UserName = tostring(LogEntry.user.username),
    UserGroups = tostring(LogEntry.user.groups),
    SourceIP = tostring(LogEntry.sourceIPs[0]),
    UserAgent = tostring(LogEntry.userAgent),
    RequestURI = tostring(LogEntry.requestURI),
    ResponseCode = toint(LogEntry.responseStatus.code)
| where Verb in ("create", "update", "patch")
| where Resource in ("clusterrolebindings", "rolebindings", "clusterroles", "roles")
| where ResponseCode between (200 .. 299)
| extend RequestObject = tostring(LogEntry.requestObject)
| extend IsSensitiveRole = RequestObject has_any (HighPrivilegeRoles)
| extend IsServiceAccount = UserName startswith "system:serviceaccount:"
| extend IsSystemUser = UserName startswith "system:"
| where not (IsSystemUser and not IsServiceAccount)
| project
    TimeGenerated,
    Verb,
    Resource,
    ResourceName,
    Namespace,
    UserName,
    UserGroups,
    SourceIP,
    UserAgent,
    IsSensitiveRole,
    IsServiceAccount,
    RequestObject,
    ResponseCode,
    ResourceId
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Azure Kubernetes Service Audit Logs AzureDiagnostics (kube-audit category) Azure Activity Logs

Required Tables

AzureDiagnostics AzureActivity

False Positives

Legitimate cluster administrators creating or updating RBAC bindings as part of normal operations or infrastructure-as-code deployments (Terraform, Helm, ArgoCD)
CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that apply RBAC manifests during application deployment
Kubernetes operators and controllers (e.g., cert-manager, Prometheus operator) that create their own service account role bindings during installation
Cluster upgrades or managed add-on installations by the cloud provider that temporarily create or modify RBAC objects

Splunk

spl

index=kubernetes sourcetype=kube:apiserver:audit OR sourcetype="kube-audit"
| spath input=_raw
| eval verb=lower(coalesce(verb, 'unknown'))
| eval resource=lower(coalesce('objectRef.resource', 'unknown'))
| eval resourceName=coalesce('objectRef.name', 'unknown')
| eval namespace=coalesce('objectRef.namespace', 'cluster-scoped')
| eval username=coalesce('user.username', 'unknown')
| eval sourceIP=coalesce('sourceIPs{}'.'sourceIPs[0]', sourceIPs, 'unknown')
| eval userAgent=coalesce(userAgent, 'unknown')
| eval responseCode=coalesce('responseStatus.code', 0)
| eval requestObject=coalesce(requestObject, '')
| where verb IN ("create", "update", "patch")
| where resource IN ("clusterrolebindings", "rolebindings", "clusterroles", "roles")
| where responseCode >= 200 AND responseCode < 300
| eval IsSensitiveRole=if(match(requestObject, "(?i)(cluster-admin|system:masters|cluster-admin|admin|system:node-admin)"), 1, 0)
| eval IsServiceAccount=if(match(username, "^system:serviceaccount:"), 1, 0)
| eval IsSystemComponent=if(match(username, "^system:") AND NOT match(username, "^system:serviceaccount:"), 1, 0)
| eval IsClusterScoped=if(resource="clusterrolebindings" OR resource="clusterroles", 1, 0)
| where IsSystemComponent=0
| eval RiskScore=IsSensitiveRole*3 + IsClusterScoped*2 + IsServiceAccount
| table _time, verb, resource, resourceName, namespace, username, sourceIP, userAgent, IsSensitiveRole, IsServiceAccount, IsClusterScoped, RiskScore, requestObject
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Kubernetes API Server Audit Logs kube-apiserver audit Cloud Provider Kubernetes Audit Logs

Required Sourcetypes

kube:apiserver:audit kube-audit

False Positives

Legitimate cluster administrators creating or updating RBAC bindings as part of normal operations or infrastructure-as-code deployments (Terraform, Helm, ArgoCD)
CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that apply RBAC manifests during application deployment
Kubernetes operators and controllers (e.g., cert-manager, Prometheus operator) that create their own service account role bindings during installation
Cluster upgrades or managed add-on installations by the cloud provider that temporarily create or modify RBAC objects

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username,
  sourceip,
  "KubeVerb",
  "KubeResource",
  "KubeResourceName",
  "KubeNamespace",
  LONG("KubeResponseCode") AS ResponseCode,
  CASE
    WHEN "KubeRequestObject" ILIKE '%cluster-admin%'
      OR "KubeRequestObject" ILIKE '%system:masters%'
      OR "KubeRequestObject" ILIKE '%system:node-admin%'
    THEN 'true' ELSE 'false'
  END AS IsSensitiveRole,
  CASE
    WHEN username ILIKE 'system:serviceaccount:%' THEN 'true' ELSE 'false'
  END AS IsServiceAccount,
  CASE
    WHEN LOWER("KubeResource") IN ('clusterrolebindings', 'clusterroles') THEN 'true' ELSE 'false'
  END AS IsClusterScoped,
  UTF8(payload) AS RawPayload
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Kubernetes%'
  AND LOWER("KubeVerb") IN ('create', 'update', 'patch')
  AND LOWER("KubeResource") IN ('clusterrolebindings', 'rolebindings', 'clusterroles', 'roles')
  AND LONG("KubeResponseCode") BETWEEN 200 AND 299
  AND NOT (
    username ILIKE 'system:%'
    AND username NOT ILIKE 'system:serviceaccount:%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Kubernetes DSM (kube-apiserver audit log via syslog or file) QRadar Log Source Extension parsing kube-audit JSON AKS diagnostic logs forwarded via Event Hub to QRadar EKS CloudWatch Logs forwarded to QRadar via S3 or API

Required Tables

events

False Positives

Legitimate cluster-admin users configuring RBAC during initial cluster setup, namespace provisioning, or compliance-driven access reviews
Automated deployment pipelines (Jenkins, Tekton, GitHub Actions) that use a service account with elevated permissions to install Helm charts containing RBAC resources
Managed Kubernetes add-ons (AWS Load Balancer Controller, GKE Config Connector, Azure Policy) that create and update their own cluster roles during installation and upgrades

Sumo Logic CSE

sql

_sourceCategory=kubernetes/audit OR _sourceCategory=*kube*audit*
| json field=_raw "verb" as verb nodrop
| json field=_raw "objectRef.resource" as resource nodrop
| json field=_raw "objectRef.name" as resourceName nodrop
| json field=_raw "objectRef.namespace" as namespace nodrop
| json field=_raw "user.username" as username nodrop
| json field=_raw "sourceIPs[0]" as sourceIP nodrop
| json field=_raw "userAgent" as userAgent nodrop
| json field=_raw "responseStatus.code" as responseCode nodrop
| json field=_raw "requestObject" as requestObject nodrop
| where verb in ("create", "update", "patch")
| where resource in ("clusterrolebindings", "rolebindings", "clusterroles", "roles")
| where responseCode >= 200 and responseCode < 300
| where !(username matches "system:*" and !(username matches "system:serviceaccount:*"))
| if(requestObject matches "*cluster-admin*" or requestObject matches "*system:masters*" or requestObject matches "*system:node-admin*" or requestObject matches "*admin*", 1, 0) as isSensitiveRole
| if(username matches "system:serviceaccount:*", 1, 0) as isServiceAccount
| if(resource = "clusterrolebindings" or resource = "clusterroles", 1, 0) as isClusterScoped
| (isSensitiveRole * 3 + isClusterScoped * 2 + isServiceAccount) as riskScore
| fields _messageTime, verb, resource, resourceName, namespace, username, sourceIP, userAgent, isSensitiveRole, isServiceAccount, isClusterScoped, riskScore, requestObject
| sort by riskScore desc, _messageTime desc

high severity high confidence

Data Sources

Kubernetes audit logs collected via Sumo Logic Kubernetes Collection Helm chart Fluentd or Fluent Bit DaemonSet forwarding kube-apiserver audit logs to Sumo Logic HTTP Source EKS audit logs via CloudWatch Logs subscription to Sumo Logic GKE audit logs via Cloud Logging export to Sumo Logic

Required Tables

_sourceCategory=kubernetes/audit

False Positives

Cluster provisioning automation (Terraform, Pulumi, eksctl) that creates default RBAC bindings for managed node groups and system components during cluster creation
Service mesh installations (Istio, Linkerd, Cilium) that create numerous ClusterRoles and bindings for their control plane components during initial deployment
Development and staging environments where developers have broad permissions and frequently iterate on RBAC configurations as part of application development workflows

Google Chronicle / SecOps

yaral

rule kubernetes_rbac_binding_creation_t1098_006 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of Kubernetes RBAC role bindings and cluster role bindings, indicating potential persistent access establishment via T1098.006. Covers GKE audit logs and generic Kubernetes audit sources ingested into Chronicle."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.006"
    mitre_attack_technique_name = "Additional Container Cluster Roles"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"
    platform = "Kubernetes, GKE, EKS, AKS"
    created = "2025-01-01"
    version = "1.0"

  events:
    $e.metadata.event_type = "RESOURCE_WRITTEN"
    $e.target.resource.type in (
      "clusterrolebindings",
      "rolebindings",
      "clusterroles",
      "roles"
    )
    $e.security_result.action = "ALLOW"
    $e.network.http.response_code >= 200
    $e.network.http.response_code < 300
    $e.network.http.method in ("POST", "PUT", "PATCH")
    (
      not re.match($e.principal.user.userid, `^system:`)
      or re.match($e.principal.user.userid, `^system:serviceaccount:`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

GKE Kubernetes audit logs via Google Cloud Logging -> Chronicle Chronicle Kubernetes log ingestion (log type: KUBERNETES_AUDIT) Chronicle GCP audit log ingestion (log type: GCP_CLOUDAUDIT) AKS and EKS audit logs forwarded to Chronicle via custom log feeds

Required Tables

KUBERNETES_AUDIT GCP_CLOUDAUDIT

False Positives

GKE Autopilot and node auto-provisioning operations that create and bind roles for managed infrastructure components automatically during node pool scaling events
Google Config Connector, Crossplane, or other cloud resource controllers that create RBAC resources when provisioning cloud-native Kubernetes resources
Legitimate break-glass or incident response procedures where on-call engineers temporarily grant elevated cluster permissions, which should be tracked via a parallel change management system

CrowdStrike LogScale (CQL)

cql

// Kubernetes RBAC binding creation and modification — T1098.006
// Covers CrowdStrike Falcon Kubernetes Protection Agent (KPA) events
// and raw Kubernetes audit log ingestion into LogScale

#event_simpleName = /K8s/ OR (verb != null AND "objectRef.resource" != null)
| verb := lower(coalesce(verb, ""))
| resource := lower(coalesce("objectRef.resource", ResourceKind, ""))
| username := coalesce("user.username", UserName, "unknown")
| responseCode := toNumber(coalesce("responseStatus.code", ResponseCode, "0"), default=0)
| resourceName := coalesce("objectRef.name", ResourceName, "unknown")
| namespace := coalesce("objectRef.namespace", Namespace, "cluster-scoped")
| sourceIP := coalesce("sourceIPs[0]", SourceIP, "unknown")
| requestObject := coalesce(requestObject, RequestObject, "")
| userAgent := coalesce(userAgent, UserAgent, "unknown")
| verb = /^(create|update|patch)$/
| resource = /^(clusterrolebindings|rolebindings|clusterroles|roles)$/
| responseCode >= 200
| responseCode < 300
| isSystemUser := if(username = /^system:/, 1, 0)
| isServiceAccount := if(username = /^system:serviceaccount:/, 1, 0)
| where isSystemUser = 0 OR isServiceAccount = 1
| isSensitiveRole := if(requestObject = /cluster-admin|system:masters|system:node-admin/, 1, 0)
| isClusterScoped := if(resource = /^cluster/, 1, 0)
| riskScore := (isSensitiveRole * 3) + (isClusterScoped * 2) + isServiceAccount
| select([@timestamp, verb, resource, resourceName, namespace, username, sourceIP, userAgent, isSensitiveRole, isServiceAccount, isClusterScoped, riskScore, requestObject])
| sort(riskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Kubernetes Protection Agent (KPA) events Kubernetes audit logs ingested directly into CrowdStrike LogScale Falcon Data Replicator (FDR) Kubernetes audit event stream EKS, GKE, or AKS audit logs forwarded to LogScale via HEC or S3 ingest

Required Tables

falcon:k8s:audit main

False Positives

CrowdStrike Falcon sensor admission controller and Kubernetes Protection Agent itself creates ClusterRoles and bindings during its own installation and periodic reconciliation
Cluster autoscaler, Karpenter, or Cluster API controllers that create or modify node-group service account bindings when scaling workloads
Multi-tenant platform teams using namespace-scoped RoleBindings to delegate access to application teams as part of a standard, policy-driven RBAC provisioning workflow

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1098.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud Credentials T1098.002Additional Email Delegate Permissions T1098.003Additional Cloud Roles T1098.004SSH Authorized Keys T1098.005Device Registration T1098.007Additional Local or Domain Groups

Additional Container Cluster Roles

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections