title: Additional Container Cluster Roles (T1098.006)
id: df00tech-t1098-006
status: experimental
description: "An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where ABAC is in use, an adversary may modify a Kubernetes ABAC policy to give the target account additional permissions. This technique may also be used in conjunction with cloud-based RBAC assignments in managed Kubernetes services such as GKE, EKS, and AKS."
references:
  - https://attack.mitre.org/techniques/T1098/006/
  - https://df00tech.com/detections/T1098.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate cluster administrators creating or updating RBAC bindings as part of normal operations or infrastructure-as-code deployments (Terraform, Helm, ArgoCD)"
  - "CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that apply RBAC manifests during application deployment"
  - "Kubernetes operators and controllers (e.g., cert-manager, Prometheus operator) that create their own service account role bindings during installation"
  - Cluster upgrades or managed add-on installations by the cloud provider that temporarily create or modify RBAC objects
level: high