Service Account Namespace Read Detected via Defend for Containers

This rule detects the reading of the service account namespace file inside a container. The service account namespace file is used to identify the namespace of the container in which it is running, and may be used by an adversary to get a better understanding of the container and the services running inside it.

Rule type: eql
Rule indices:

• logs-cloud_defend.file*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

• Data Source: Elastic Defend for Containers
• Domain: Container
• OS: Linux
• Use Case: Threat Detection
• Tactic: Discovery

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
file.path == "/var/run/secrets/kubernetes.io/serviceaccount/namespace" and
process.interactive == true and container.id like "*"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: Container and Resource Discovery
  • Id: T1613
  • Reference URL: https://attack.mitre.org/techniques/T1613/

• Technique:

  • Name: System Information Discovery
  • Id: T1082
  • Reference URL: https://attack.mitre.org/techniques/T1082/