Skip to content

Steal Pod Service Account Token

idempotent

Platform: Kubernetes

MITRE ATT&CK Tactics

  • Credential Access

Description

Steals a service account token from a running pod, by executing a command in the pod and reading /var/run/secrets/kubernetes.io/serviceaccount/token

Warm-up:

  • Create the Stratus Red Team namespace
  • Create a Service Account
  • Create a Pod running under this service account

Detonation:

  • Execute cat /var/run/secrets/kubernetes.io/serviceaccount/token into the pod to steal its service account token

Instructions

Detonate with Stratus Red Team
stratus detonate k8s.credential-access.steal-serviceaccount-token

Detection

Using Kubernetes API server audit logs, looking for execution events.

Sample event (shortened):

{
    "objectRef": {
        "resource": "pods",
        "subresource": "exec",
        "name": "stratus-red-team-sample-pod",
    },
    "http": {
        "url_details": {
            "path": "/api/v1/namespaces/stratus-red-team-ubdaslyp/pods/stratus-red-team-sample-pod/exec",
            "queryString": {
                "command": "%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftoken",
                "stdout": "true"
            }
        },
        "method": "create"
    },
    "stage": "ResponseStarted",
    "kind": "Event",
    "level": "RequestResponse",
    "requestURI": "/api/v1/namespaces/stratus-red-team-ubdaslyp/pods/stratus-red-team-sample-pod/exec?command=cat&command=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftoken&stdout=true",
}