Kubernetes Pod Exec Sensitive File or Credential Path Access
Detects Kubernetes pod exec sessions whose decoded command line references high-value host or in-cluster paths and material types: mounted service account or platform tokens, kubelet and control-plane configuration areas, host identity stores, root dot-directories for cloud and kubeconfig material, common private-key and keystore extensions, process environment dumps, and configuration filenames suggestive of embedded secrets. The intent is to catch interactive or scripted access that often precedes lateral movement, privilege escalation, or credential theft from the node or workload boundary. A narrow exclusion ignores benign reads of resolv.conf. The query also labels an access_type bucket to speed triage without altering the detection predicates you validated.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/04/23"
3integration = ["kubernetes"]
4maturity = "production"
5updated_date = "2026/04/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects Kubernetes pod exec sessions whose decoded command line references high-value host or in-cluster paths and
11material types: mounted service account or platform tokens, kubelet and control-plane configuration areas, host
12identity stores, root dot-directories for cloud and kubeconfig material, common private-key and keystore extensions,
13process environment dumps, and configuration filenames suggestive of embedded secrets. The intent is to catch
14interactive or scripted access that often precedes lateral movement, privilege escalation, or credential theft from
15the node or workload boundary. A narrow exclusion ignores benign reads of resolv.conf. The query also labels an
16access_type bucket to speed triage without altering the detection predicates you validated.
17"""
18from = "now-6m"
19interval = "5m"
20language = "esql"
21license = "Elastic License v2"
22name = "Kubernetes Pod Exec Sensitive File or Credential Path Access"
23note = """## Triage and analysis
24
25### Investigating Kubernetes Pod Exec Sensitive File or Credential Path Access
26
27This alert ties Kubernetes audit exec events to reconstructed command text that matches sensitive path and filename
28patterns. Use the Esql.access_type field to prioritize: IRSA token paths, default Kubernetes service account tokens,
29other mounted secrets, certificates and keystores, Kubernetes static config, kubelet state, host passwd or shadow,
30user home credential stores, and proc environ scraping.
31
32### Possible investigation steps
33
34- Identify the Kubernetes user, groups, impersonation, source IP, and user agent for the exec caller.
35- Map objectRef namespace, pod, and container to an owning team, image digest, and change history.
36- Compare Esql.executed_command against known runbooks; capture follow-on audit activity such as additional execs,
37 secret reads at the API layer, or RBAC changes.
38- If host-level paths appear, determine whether the workload runs privileged, with hostPath mounts, or on nodes where
39 break-glass access is expected.
40
41### False positive analysis
42
43- Diagnostic images and vendor agents sometimes cat resolv.conf or kubeconfig-like paths; the rule excludes resolv.conf
44 but other matches may still be legitimate—baseline stable automation identities.
45- Training containers that deliberately demonstrate passwd reads can trigger; scope exceptions to those images and
46 namespaces.
47
48### Response and remediation
49
50- If malicious, end the exec session, isolate the pod or node, rotate any credentials that could have been read,
51 review and tighten pods exec RBAC and admission controls, and inspect for persistence added after the session.
52"""
53references = [
54 "https://attack.mitre.org/techniques/T1552/001/",
55 "https://attack.mitre.org/techniques/T1552/007/",
56]
57risk_score = 73
58rule_id = "b2c3d4e5-f6a7-4890-b1c2-d3e4f5a60789"
59severity = "high"
60tags = [
61 "Data Source: Kubernetes",
62 "Domain: Kubernetes",
63 "Use Case: Threat Detection",
64 "Tactic: Credential Access",
65 "Tactic: Execution",
66 "Resources: Investigation Guide",
67]
68timestamp_override = "event.ingested"
69type = "esql"
70query = '''
71from logs-kubernetes.audit_logs-* metadata _id, _index, _version
72| WHERE kubernetes.audit.objectRef.subresource == "exec"
73 AND kubernetes.audit.requestURI LIKE "*command=*"
74| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
75| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
76| EVAL command = REPLACE(raw_commands, "command=", "")
77| EVAL command = REPLACE(command, "&", " ")
78| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
79| WHERE Esql.executed_command IS NOT NULL
80 AND Esql.executed_command RLIKE """.*(/var/run/secrets/|/etc/kubernetes/|/var/lib/kubelet/|/etc/shadow|/etc/passwd|/etc/sudoers|(/root|/home/[^/]+)/\.(ssh|aws|azure|kube|config/gcloud)|\.p12|\.pem|\.key|\.jks|\.keystore|/etc/.*\.conf.*(password|secret|key|token|credential)|/proc/.*/environ).*"""
81 AND NOT Esql.executed_command RLIKE """.*/etc/resolv\.conf.*"""
82| EVAL Esql.access_type = CASE(
83 Esql.executed_command RLIKE """.*/var/run/secrets/eks\.amazonaws\.com.*""", "AWS_IRSA_TOKEN",
84 Esql.executed_command RLIKE """.*/var/run/secrets/azure/tokens/.*""", "AZURE_WORKLOAD_IDENTITY_TOKEN",
85 Esql.executed_command RLIKE """.*/var/run/secrets/tokens/gcp-ksa/.*""", "GCP_WORKLOAD_IDENTITY_TOKEN",
86 Esql.executed_command RLIKE """.*/var/run/secrets/kubernetes\.io/serviceaccount/token.*""", "K8S_SA_TOKEN",
87 Esql.executed_command RLIKE """.*/var/run/secrets/.*""", "MOUNTED_SECRET",
88 Esql.executed_command RLIKE """.*\.(p12|pem|key|jks|keystore).*""", "CERTIFICATE_OR_KEY",
89 Esql.executed_command RLIKE """.*/etc/kubernetes/.*""", "K8S_CONFIG",
90 Esql.executed_command RLIKE """.*/var/lib/kubelet/.*""", "KUBELET_CONFIG",
91 Esql.executed_command RLIKE """.*/etc/shadow.*""", "HOST_CREDENTIALS",
92 Esql.executed_command RLIKE """.*/etc/passwd.*""", "USER_ENUMERATION",
93 Esql.executed_command RLIKE """.*/etc/sudoers.*""", "SUDOERS_ACCESS",
94 Esql.executed_command RLIKE """.*(/root|/home)/\.(ssh|aws|azure|kube|config/gcloud).*""", "USER_CREDENTIALS",
95 Esql.executed_command RLIKE """.*/proc/.*/environ.*""", "PROCESS_ENV_SECRETS",
96 Esql.executed_command RLIKE """.*/etc/.*\.conf.*(password|secret|key|token|credential).*""", "EMBEDDED_CONFIG_SECRET",
97 "OTHER_SENSITIVE"
98 )
99| KEEP *
100'''
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1552"
107name = "Unsecured Credentials"
108reference = "https://attack.mitre.org/techniques/T1552/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1552.001"
112name = "Credentials In Files"
113reference = "https://attack.mitre.org/techniques/T1552/001/"
114
115[[rule.threat.technique.subtechnique]]
116id = "T1552.007"
117name = "Container API"
118reference = "https://attack.mitre.org/techniques/T1552/007/"
119
120[rule.threat.tactic]
121id = "TA0006"
122name = "Credential Access"
123reference = "https://attack.mitre.org/tactics/TA0006/"
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127
128[[rule.threat.technique]]
129id = "T1609"
130name = "Container Administration Command"
131reference = "https://attack.mitre.org/techniques/T1609/"
132
133[rule.threat.tactic]
134id = "TA0002"
135name = "Execution"
136reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating Kubernetes Pod Exec Sensitive File or Credential Path Access
This alert ties Kubernetes audit exec events to reconstructed command text that matches sensitive path and filename patterns. Use the Esql.access_type field to prioritize: IRSA token paths, default Kubernetes service account tokens, other mounted secrets, certificates and keystores, Kubernetes static config, kubelet state, host passwd or shadow, user home credential stores, and proc environ scraping.
Possible investigation steps
- Identify the Kubernetes user, groups, impersonation, source IP, and user agent for the exec caller.
- Map objectRef namespace, pod, and container to an owning team, image digest, and change history.
- Compare Esql.executed_command against known runbooks; capture follow-on audit activity such as additional execs, secret reads at the API layer, or RBAC changes.
- If host-level paths appear, determine whether the workload runs privileged, with hostPath mounts, or on nodes where break-glass access is expected.
False positive analysis
- Diagnostic images and vendor agents sometimes cat resolv.conf or kubeconfig-like paths; the rule excludes resolv.conf but other matches may still be legitimate—baseline stable automation identities.
- Training containers that deliberately demonstrate passwd reads can trigger; scope exceptions to those images and namespaces.
Response and remediation
- If malicious, end the exec session, isolate the pod or node, rotate any credentials that could have been read, review and tighten pods exec RBAC and admission controls, and inspect for persistence added after the session.
References
-
S0677 AADInternals AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[6] S0331 Agent Tesla Agent Tesla has the ability to extract c...
Read More
Related rules
- Kubernetes Pod Exec Cloud Instance Metadata Access
- Service Account Token or Certificate Access Followed by Kubernetes API Request
- Kubernetes Pod Exec Potential Reverse Shell
- Kubernetes Pod Exec with Curl or Wget to HTTPS
- Kubernetes Secret get or list with Suspicious User Agent