Kubernetes Secrets Enumeration

 1title: Kubernetes Secrets Enumeration
 2id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
 3related:
 4    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
 5      type: derived
 6status: test
 7description: Detects enumeration of Kubernetes secrets.
 8references:
 9    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
10author: Leo Tsaousis (@laripping)
11date: 2024-03-26
12tags:
13    - attack.t1552.007
14    - attack.credential-access
15logsource:
16    category: application
17    product: kubernetes
18    service: audit
19detection:
20    selection:
21        verb: 'list'
22        objectRef.resource: 'secrets'
23    condition: selection
24falsepositives:
25    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
26level: low

References

• List Kubernetes secrets - Threat Matrix for Kubernetes

  List Kubernetes secrets A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by ...

  
  Read More

Related rules

• Kubernetes Admission Controller Modification
• Azure Kubernetes Admission Controller
• Google Cloud Kubernetes Admission Controller
• Bitbucket User Login Failure Via SSH
• DPAPI Backup Keys And Certificate Export Activity IOC