← Back to Explore
T1098.006
Additional Container Cluster Roles
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may mo...
Containers
7
Detections
1
Sources
0
Threat Actors
BY SOURCE
7elastic
PROCEDURES (3)
Service3 detections
Auto-extracted: 3 detections for service
Kubernetes2 detections
Auto-extracted: 2 detections for kubernetes
General Monitoring2 detections
Auto-extracted: 2 detections for general monitoring
DETECTIONS (7)
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
elasticlow
Kubernetes Cluster-Admin Role Binding Created
elasticmedium
Kubernetes Creation of a RoleBinding Referencing a ServiceAccount
elasticmedium
Kubernetes Creation or Modification of Sensitive Role
elasticmedium
Kubernetes Sensitive RBAC Change Followed by Workload Modification
elasticmedium
Kubernetes Service Account Modified RBAC Objects
elasticmedium
Unusual Kubernetes Sensitive Workload Modification
elasticlow