Detectionlowtest

Kubernetes Secrets Enumeration

Detects enumeration of Kubernetes secrets.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Leo TsaousisCreated Tue Mar 26eeb3e9e1-b685-44e4-9232-6bb701f925b5application

Log Source

Kubernetesapplicationaudit

ProductKubernetes← raw: kubernetes

Categoryapplication← raw: application

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        verb: 'list'
        objectRef.resource: 'secrets'
    condition: selection

False Positives

The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

eeb3e9e1-b685-44e4-9232-6bb701f925b5

Status

test

Level

low

Type

Detection

Created

Tue Mar 26

Author

Path

rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml

Raw Tags

attack.t1552.007attack.credential-access