Skip to content
Leonidas Documentation

Create Service Account (kubernetes)

PlatformAuthorLast Update
kubernetesLeo Tsaousis2024-12-02

Create a Kubernetes service account

MITRE IDs

Scope

This test case does not need Cluster-wide permissions

Required Permissions

-   apiGroups:
    - ''
    namespaced: true
    resources:
    - serviceaccounts
    verbs:
    - create

Required Parameters

NameTypeDescriptionExample Value
serviceaccountstrName of the service account to createleonidas-created-service

Attacker Action

Terminal window
kubectl create serviceaccount leonidas-created-service

Detection Case

ELK query

When logs are ingested into ELK, the following query can be used to identify relevant events.

verb:create AND resource:serviceaccounts

Sigma Definition

---
title: Create service account
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
status: experimental
author: Leo Tsaousis
date: 2024-12-02
description: |
  Create a Kubernetes service account
logsource:
  product: kubernetes
  service: audit
detection:
  selection:
    verb: create


    resource: serviceaccounts


  condition: selection
level: low
tags:
- attack.T1136
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/