Detect Additional Container Cluster Roles in CrowdStrike LogScale
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where ABAC is in use, an adversary may modify a Kubernetes ABAC policy to give the target account additional permissions. This technique may also be used in conjunction with cloud-based RBAC assignments in managed Kubernetes services such as GKE, EKS, and AKS.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.006 Additional Container Cluster Roles
- Canonical reference
- https://attack.mitre.org/techniques/T1098/006/
LogScale Detection Query
// Kubernetes RBAC binding creation and modification — T1098.006
// Covers CrowdStrike Falcon Kubernetes Protection Agent (KPA) events
// and raw Kubernetes audit log ingestion into LogScale
#event_simpleName = /K8s/ OR (verb != null AND "objectRef.resource" != null)
| verb := lower(coalesce(verb, ""))
| resource := lower(coalesce("objectRef.resource", ResourceKind, ""))
| username := coalesce("user.username", UserName, "unknown")
| responseCode := toNumber(coalesce("responseStatus.code", ResponseCode, "0"), default=0)
| resourceName := coalesce("objectRef.name", ResourceName, "unknown")
| namespace := coalesce("objectRef.namespace", Namespace, "cluster-scoped")
| sourceIP := coalesce("sourceIPs[0]", SourceIP, "unknown")
| requestObject := coalesce(requestObject, RequestObject, "")
| userAgent := coalesce(userAgent, UserAgent, "unknown")
| verb = /^(create|update|patch)$/
| resource = /^(clusterrolebindings|rolebindings|clusterroles|roles)$/
| responseCode >= 200
| responseCode < 300
| isSystemUser := if(username = /^system:/, 1, 0)
| isServiceAccount := if(username = /^system:serviceaccount:/, 1, 0)
| where isSystemUser = 0 OR isServiceAccount = 1
| isSensitiveRole := if(requestObject = /cluster-admin|system:masters|system:node-admin/, 1, 0)
| isClusterScoped := if(resource = /^cluster/, 1, 0)
| riskScore := (isSensitiveRole * 3) + (isClusterScoped * 2) + isServiceAccount
| select([@timestamp, verb, resource, resourceName, namespace, username, sourceIP, userAgent, isSensitiveRole, isServiceAccount, isClusterScoped, riskScore, requestObject])
| sort(riskScore, order=desc)CrowdStrike LogScale query detecting Kubernetes RBAC role and binding mutations from Falcon Kubernetes Protection Agent (KPA) telemetry or raw kube-apiserver audit log ingestion. Normalises field names across both CrowdStrike-native Kubernetes event schema and raw audit log JSON. Applies weighted risk scoring to surface cluster-admin bindings, cluster-scoped resources, and service account escalations. The regex filter excludes pure system component writes while retaining service account mutations as these are commonly abused for persistent workload privilege escalation.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor admission controller and Kubernetes Protection Agent itself creates ClusterRoles and bindings during its own installation and periodic reconciliation
- Cluster autoscaler, Karpenter, or Cluster API controllers that create or modify node-group service account bindings when scaling workloads
- Multi-tenant platform teams using namespace-scoped RoleBindings to delegate access to application teams as part of a standard, policy-driven RBAC provisioning workflow
Other platforms for T1098.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Privileged ClusterRoleBinding for Service Account
Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=clusterrolebindings, objectRef.name=attacker-cluster-admin-binding, responseStatus.code=201. Second audit event for serviceaccounts create. The requestObject will contain roleRef.name=cluster-admin and subjects referencing the service account.
- Test 2Create Namespace-Scoped RoleBinding for External User
Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=rolebindings, objectRef.namespace=attacker-test-ns, objectRef.name=attacker-ns-admin-binding, responseStatus.code=201. The requestObject includes roleRef.name=admin and subjects with kind=User and [email protected].
- Test 3Modify Existing ClusterRole to Add Wildcard Permissions
Expected signal: Kubernetes API server audit log: verb=patch, objectRef.resource=clusterroles, objectRef.name=attacker-test-role, responseStatus.code=200. The requestObject contains JSON patch operations adding wildcard rules. This differs from 'create' operations and may be missed by detections that only look for verb=create.
- Test 4Create ABAC Policy Entry via ConfigMap Modification
Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=configmaps, objectRef.name=attacker-abac-policy. If this were a real kube-system ABAC policy modification: verb=update/patch, objectRef.resource=configmaps, objectRef.namespace=kube-system. The ConfigMap data contains ABAC policy JSON granting wildcard permissions.
References (12)
- https://attack.mitre.org/techniques/T1098/006/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://kubernetes.io/docs/reference/access-authn-authz/abac/
- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://cloud.google.com/kubernetes-engine/docs/how-to/iam
- https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
- https://learn.microsoft.com/en-us/azure/aks/concepts-identity
- https://learn.microsoft.com/en-us/azure/aks/monitor-aks
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.006/T1098.006.md
- https://www.cncf.io/blog/2021/07/06/practical-approach-to-kubernetes-audit-logging/
- https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html
Unlock Pro Content
Get the full detection package for T1098.006 including response playbook, investigation guide, and atomic red team tests.