1. Home
  2. Techniques
  3. Enterprise
  4. Account Manipulation
  5. Additional Container Cluster Roles

Account Manipulation: Additional Container Cluster Roles

ID Name
T1098.001 Additional Cloud Credentials
T1098.002 Additional Email Delegate Permissions
T1098.003 Additional Cloud Roles
T1098.004 SSH Authorized Keys
T1098.005 Device Registration
T1098.006 Additional Container Cluster Roles
T1098.007 Additional Local or Domain Groups

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.[1][2] Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.[3]

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised.

Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.[4][5][6] In these cases, this technique may be used in conjunction with Additional Cloud Roles.

ID: T1098.006
Sub-technique of:  T1098
Platforms: Containers
Version: 1.0
Created: 14 July 2023
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML.

M1018 User Account Management

Ensure that low-privileged accounts do not have permissions to add permissions to accounts or to update container cluster roles.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0572 Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes AN1579

Detects assignment of high-privilege roles to user or service accounts via Kubernetes RoleBinding or ClusterRoleBinding objects, especially outside of CI/CD automation or from unknown IPs.

References

  1. Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023.
  2. Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.
  3. Kuberenets. (n.d.). Using ABAC Authorization. Retrieved July 14, 2023.
  1. Google Cloud. (n.d.). Create IAM policies. Retrieved July 14, 2023.
  2. Amazon Web Services. (n.d.). IAM roles for service accounts. Retrieved July 14, 2023.
  3. Microsoft Azure. (2023, April 28). Access and identity options for Azure Kubernetes Service (AKS). Retrieved July 14, 2023.