DET0572 Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes

Item	Value
ID	DET0572
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1098.006 (Additional Container Cluster Roles)

Analytics

Containers

AN1579

Detects assignment of high-privilege roles to user or service accounts via Kubernetes RoleBinding or ClusterRoleBinding objects, especially outside of CI/CD automation or from unknown IPs.

Log Sources

Data Component	Name	Channel
User Account Modification (DC0010)	kubernetes:audit	create or update events for RoleBinding or ClusterRoleBinding objects

Mutable Elements

Field	Description
UserAgent	Filter expected sources of automated role assignment (e.g., CI/CD tooling)
RoleName	Scope to privileged roles like cluster-admin, edit, admin
TimeWindow	Detect after-hours or irregular-time assignments
UserContext	Define known service accounts and privileged operators to reduce noise