Kubernetes Secrets Enumeration

Mar 26, 2024 · attack.t1552.007 ·

Detects enumeration of Kubernetes secrets.

Sigma rule (View on GitHub)

 1title: Kubernetes Secrets Enumeration
 2id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
 3related:
 4    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
 5      type: derived
 6status: experimental
 7description: Detects enumeration of Kubernetes secrets.
 8references:
 9    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
10author: Leo Tsaousis (@laripping)
11date: 2024/03/26
12tags:
13    - attack.t1552.007
14logsource:
15    category: application
16    product: kubernetes
17    service: audit
18detection:
19    selection:
20        verb: 'list'
21        objectRef.resource: 'secrets'
22    condition: selection
23falsepositives:
24    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
25level: low

References

List Kubernetes secrets - Threat Matrix for Kubernetes

List Kubernetes secrets A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by ...

Read More

Kubernetes Secrets Enumeration

Sigma rule (View on GitHub)

References

List Kubernetes secrets - Threat Matrix for Kubernetes

Related rules