T1098.006 Microsoft Sentinel · KQL

Detect Additional Container Cluster Roles in Microsoft Sentinel

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where ABAC is in use, an adversary may modify a Kubernetes ABAC policy to give the target account additional permissions. This technique may also be used in conjunction with cloud-based RBAC assignments in managed Kubernetes services such as GKE, EKS, and AKS.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.006 Additional Container Cluster Roles
Canonical reference
https://attack.mitre.org/techniques/T1098/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect creation or modification of Kubernetes RBAC bindings and privilege escalation in container clusters
// Covers Azure Kubernetes Service (AKS) via AzureActivity and AzureDiagnostics, plus Defender for Containers
let SuspiciousRBACOperations = dynamic([
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/write",
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/write",
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/write",
  "Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/write"
]);
let HighPrivilegeRoles = dynamic([
  "cluster-admin", "admin", "edit", "system:masters"
]);
// AKS Control Plane Audit Logs
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "kube-audit" or Category == "kube-audit-admin"
| extend LogEntry = parse_json(log_s)
| extend
    Verb = tostring(LogEntry.verb),
    Resource = tostring(LogEntry.objectRef.resource),
    ResourceName = tostring(LogEntry.objectRef.name),
    Namespace = tostring(LogEntry.objectRef.namespace),
    UserName = tostring(LogEntry.user.username),
    UserGroups = tostring(LogEntry.user.groups),
    SourceIP = tostring(LogEntry.sourceIPs[0]),
    UserAgent = tostring(LogEntry.userAgent),
    RequestURI = tostring(LogEntry.requestURI),
    ResponseCode = toint(LogEntry.responseStatus.code)
| where Verb in ("create", "update", "patch")
| where Resource in ("clusterrolebindings", "rolebindings", "clusterroles", "roles")
| where ResponseCode between (200 .. 299)
| extend RequestObject = tostring(LogEntry.requestObject)
| extend IsSensitiveRole = RequestObject has_any (HighPrivilegeRoles)
| extend IsServiceAccount = UserName startswith "system:serviceaccount:"
| extend IsSystemUser = UserName startswith "system:"
| where not (IsSystemUser and not IsServiceAccount)
| project
    TimeGenerated,
    Verb,
    Resource,
    ResourceName,
    Namespace,
    UserName,
    UserGroups,
    SourceIP,
    UserAgent,
    IsSensitiveRole,
    IsServiceAccount,
    RequestObject,
    ResponseCode,
    ResourceId
| sort by TimeGenerated desc
high severity medium confidence

Detects creation or modification of Kubernetes RBAC objects (ClusterRoleBindings, RoleBindings, ClusterRoles, Roles) via AKS audit logs in AzureDiagnostics. Identifies privilege escalation attempts including binding to high-privilege roles such as cluster-admin. Filters out expected system-level operations while flagging service account modifications and sensitive role bindings. Requires AKS diagnostic settings with kube-audit or kube-audit-admin category enabled and sent to Log Analytics.

Data Sources

Azure Kubernetes Service Audit LogsAzureDiagnostics (kube-audit category)Azure Activity Logs

Required Tables

AzureDiagnosticsAzureActivity

False Positives & Tuning

  • Legitimate cluster administrators creating or updating RBAC bindings as part of normal operations or infrastructure-as-code deployments (Terraform, Helm, ArgoCD)
  • CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that apply RBAC manifests during application deployment
  • Kubernetes operators and controllers (e.g., cert-manager, Prometheus operator) that create their own service account role bindings during installation
  • Cluster upgrades or managed add-on installations by the cloud provider that temporarily create or modify RBAC objects
Download portable Sigma rule (.yml)

Other platforms for T1098.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Privileged ClusterRoleBinding for Service Account

    Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=clusterrolebindings, objectRef.name=attacker-cluster-admin-binding, responseStatus.code=201. Second audit event for serviceaccounts create. The requestObject will contain roleRef.name=cluster-admin and subjects referencing the service account.

  2. Test 2Create Namespace-Scoped RoleBinding for External User

    Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=rolebindings, objectRef.namespace=attacker-test-ns, objectRef.name=attacker-ns-admin-binding, responseStatus.code=201. The requestObject includes roleRef.name=admin and subjects with kind=User and [email protected].

  3. Test 3Modify Existing ClusterRole to Add Wildcard Permissions

    Expected signal: Kubernetes API server audit log: verb=patch, objectRef.resource=clusterroles, objectRef.name=attacker-test-role, responseStatus.code=200. The requestObject contains JSON patch operations adding wildcard rules. This differs from 'create' operations and may be missed by detections that only look for verb=create.

  4. Test 4Create ABAC Policy Entry via ConfigMap Modification

    Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=configmaps, objectRef.name=attacker-abac-policy. If this were a real kube-system ABAC policy modification: verb=update/patch, objectRef.resource=configmaps, objectRef.namespace=kube-system. The ConfigMap data contains ABAC policy JSON granting wildcard permissions.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1098.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.007Additional Local or Domain Groups

Related Techniques

T1098Account ManipulationT1098.003Additional Cloud RolesT1136Create AccountT1078Valid AccountsT1078.004Cloud AccountsT1610Deploy ContainerT1613Container and Resource DiscoveryT1552.007Container APIT1525Implant Internal Image

Same Tactic: Persistence

Popular Detections