Techniques
Sample rules
Kubernetes Potential Enumeration Activity
- source: sigma
- technicques:
- t1609
- t1613
Description
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like ‘Rakkess’ (access_matrix) and ‘TruffleHog’ via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
Detection logic
condition: selection_status and 1 of selection_request_*
selection_request_uri:
requestURI|contains:
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
- /bin/ash
- /bin/bash
- /bin/busybox
- /bin/dash
- /bin/sh
- /bin/zsh
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
- /usr/bin/curl
- /usr/bin/kubectl
- /usr/bin/perl
- /usr/bin/python
- /usr/bin/wget
selection_request_user_agent:
userAgent|contains:
- access_matrix
- trufflehog
- azurehound
- micro-scanner
selection_status:
responseStatus.code: ALLOW