MITRE ATT&CK Technique
Description
An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. Note that where container orchestration systems are deployed in cloud environments, as with Google Kubernetes Engine, Amazon Elastic Kubernetes Service, and Azure Kubernetes Service, cloud-based role-based access control (RBAC) assignments or ABAC policies can often be used in place of or in addition to local permission assignments.(Citation: Google Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service Accounts)(Citation: Microsoft Azure Kubernetes Service Service Accounts) In these cases, this technique may be used in conjunction with [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-07-14T14:01:50.806Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may add additional roles or permissions to an '
'adversary-controlled user or service account to maintain '
'persistent access to a container orchestration system. For '
'example, an adversary with sufficient permissions may create '
'a RoleBinding or a ClusterRoleBinding to bind a Role or '
'ClusterRole to a Kubernetes account.(Citation: Kubernetes '
'RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where '
'attribute-based access control (ABAC) is in use, an adversary '
'with sufficient permissions may modify a Kubernetes ABAC '
'policy to give the target account additional '
'permissions.(Citation: Kuberentes ABAC)\n'
' \n'
'This account modification may immediately follow [Create '
'Account](https://attack.mitre.org/techniques/T1136) or other '
'malicious account activity. Adversaries may also modify '
'existing [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) that '
'they have compromised. \n'
'\n'
'Note that where container orchestration systems are deployed '
'in cloud environments, as with Google Kubernetes Engine, '
'Amazon Elastic Kubernetes Service, and Azure Kubernetes '
'Service, cloud-based role-based access control (RBAC) '
'assignments or ABAC policies can often be used in place of or '
'in addition to local permission assignments.(Citation: Google '
'Cloud Kubernetes IAM)(Citation: AWS EKS IAM Roles for Service '
'Accounts)(Citation: Microsoft Azure Kubernetes Service '
'Service Accounts) In these cases, this technique may be used '
'in conjunction with [Additional Cloud '
'Roles](https://attack.mitre.org/techniques/T1098/003).',
'external_references': [{'external_id': 'T1098.006',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1098/006'},
{'description': 'Amazon Web Services. (n.d.). IAM '
'roles for service accounts. '
'Retrieved July 14, 2023.',
'source_name': 'AWS EKS IAM Roles for Service '
'Accounts',
'url': 'https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html'},
{'description': 'Google Cloud. (n.d.). Create IAM '
'policies. Retrieved July 14, 2023.',
'source_name': 'Google Cloud Kubernetes IAM',
'url': 'https://cloud.google.com/kubernetes-engine/docs/how-to/iam'},
{'description': 'Kuberenets. (n.d.). Using ABAC '
'Authorization. Retrieved July 14, '
'2023.',
'source_name': 'Kuberentes ABAC',
'url': 'https://kubernetes.io/docs/reference/access-authn-authz/abac/'},
{'description': 'Kubernetes. (n.d.). Role Based '
'Access Control Good Practices. '
'Retrieved March 8, 2023.',
'source_name': 'Kubernetes RBAC',
'url': 'https://kubernetes.io/docs/concepts/security/rbac-good-practices/'},
{'description': 'Michael Katchinskiy, Assaf Morag. '
'(2023, April 21). First-Ever Attack '
'Leveraging Kubernetes RBAC to '
'Backdoor Clusters. Retrieved July '
'14, 2023.',
'source_name': 'Aquasec Kubernetes Attack 2023',
'url': 'https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters'},
{'description': 'Microsoft Azure. (2023, April 28). '
'Access and identity options for '
'Azure Kubernetes Service (AKS). '
'Retrieved July 14, 2023.',
'source_name': 'Microsoft Azure Kubernetes Service '
'Service Accounts',
'url': 'https://learn.microsoft.com/en-us/azure/aks/concepts-identity'}],
'id': 'attack-pattern--35d30338-5bfa-41b0-a170-ec06dfd75f64',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-04-15T21:46:31.661Z',
'name': 'Additional Container Cluster Roles',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers'],
'x_mitre_version': '1.0'}