K-SA-TOKENDiscovery

ServiceAccount Token Theft

Read /var/run/secrets/kubernetes.io/serviceaccount/token from a compromised pod — talk to the API server as the pod's SA.

§ Where this technique fits

K-SA-TOKEN is catalogued under the Discovery tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 5 on average.

§ Dossiers chaining this technique

Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
step 5 / 6

§ What commonly comes next

01
Malicious CronJob / DaemonSet
K-CRONJOB-PERSIST · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Docker socket exposed in pod → host root

§ What commonly comes next