Kubernetes Creation of a RoleBinding Referencing a ServiceAccount
This rule detects the creation of RoleBindings or ClusterRoleBindings that reference a ServiceAccount, which may indicate privilege delegation or potential RBAC misconfiguration leading to elevated access.
Rule type: query
Rule indices:
- logs-kubernetes.audit_logs-*
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: 100
References:
- https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control
Tags:
- Data Source: Kubernetes
- Domain: Kubernetes
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Privilege Escalation
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
event.dataset: "kubernetes.audit_logs" and kubernetes.audit.requestObject.spec.serviceAccountName:* and
kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("rolebindings" or "clusterrolebindings") and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- Id: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Sub Technique:
- Name: Additional Container Cluster Roles
- Id: T1098.006
- Reference URL: https://attack.mitre.org/techniques/T1098/006/
Framework: MITRE ATT&CK
Tactic:
- Name: Privilege Escalation
- Id: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Account Manipulation
- Id: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Sub Technique:
- Name: Additional Container Cluster Roles
- Id: T1098.006
- Reference URL: https://attack.mitre.org/techniques/T1098/006/