Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
Sigma rule (View on GitHub)
1title: Kubernetes Potential Enumeration Activity
2id: 597a7e84-187d-458b-9e4f-2f5a0e676711
3status: experimental
4description: |
5 Detects potential Kubernetes enumeration or attack activity via the audit log.
6 This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
7 Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
8references:
9 - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
10 - https://github.com/trufflesecurity/trufflehog
11 - https://github.com/corneliusweig/rakkess
12author: uniqu3-us3r
13date: 2026-04-28
14tags:
15 - attack.execution
16 - attack.discovery
17 - attack.t1609
18 - attack.t1613
19logsource:
20 product: kubernetes
21 service: audit
22detection:
23 selection_status:
24 responseStatus.code: 'ALLOW'
25 selection_request_uri:
26 requestURI|contains:
27 # Shells Encoded
28 - '%2fbin%2fash'
29 - '%2fbin%2fbash'
30 - '%2fbin%2fbusybox'
31 - '%2fbin%2fdash'
32 - '%2fbin%2fsh'
33 - '%2fbin%2fzsh'
34 # Shells Plain
35 - '/bin/ash'
36 - '/bin/bash'
37 - '/bin/busybox'
38 - '/bin/dash'
39 - '/bin/sh'
40 - '/bin/zsh'
41 # Tools Encoded
42 - '%2fusr%2fbin%2fcurl'
43 - '%2fusr%2fbin%2fkubectl'
44 - '%2fusr%2fbin%2fperl'
45 - '%2fusr%2fbin%2fpython'
46 - '%2fusr%2fbin%2fwget'
47 # Tools Plain
48 - '/usr/bin/curl'
49 - '/usr/bin/kubectl'
50 - '/usr/bin/perl'
51 - '/usr/bin/python'
52 - '/usr/bin/wget'
53 selection_request_user_agent:
54 userAgent|contains:
55 - 'access_matrix' # Rakkess
56 - 'trufflehog' # Secret scanning tool
57 - 'azurehound' # Azure/Cloud discovery
58 - 'micro-scanner' # Vulnerability scanning
59 condition: selection_status and 1 of selection_request_*
60falsepositives:
61 - Authorized administrative maintenance via kubectl
62 - Automated internal infrastructure monitoring and certificate rotation
63 - Security-approved vulnerability or secret scanning in DevSecOps pipelines
64level: medium
References
-
Written by Ben Lister and Kane Ryans This blog post details the collaboration between NCC Group’s Detection Engineering team and our Containerisation team in tackling detection engineering for Kube...
Read More -
Find, verify, and analyze leaked credentials. Contribute to trufflesecurity/trufflehog development by creating an account on GitHub.
Read More -
Review Access - kubectl plugin to show an access matrix for k8s server resources - corneliusweig/rakkess
Read More
Related rules
- HackTool - NetExec File Indicators
- BloodHound Collection Files
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock