credential reads under non-root home trees are intentionally excluded; clone the rule with explicit per-user file.path values and optional process.executable prefixes if you must cover interactive accounts with matching audit -w lines for those paths.

Techniques

T1552

Sample rules

Sensitive Identity File Open by Suspicious Process via Auditd

source: elastic
technicques:
- T1552

Description

Detects Auditd opened-file reads on sensitive root and cluster paths (Kubernetes token mounts, kubelet and admin kubeconfig, PKI material, shadow, root SSH keys, root cloud CLI and Docker config) when the process looks like common copy or scripting utilities or the binary runs from temp or run staging. User home paths are excluded so file watches stay explicit and aligned with auditd.

Detection logic

host.os.type:"linux" and 
data_stream.dataset:"auditd_manager.auditd" and 
event.category:"file" and 
event.action:"opened-file" and 
(
  process.name:(
    cp or mv or ln or cat or head or tail or 
    base64 or xxd or od or 
    curl or wget or 
    tar or zip or gzip or scp or rsync or 
    python* or perl* or ruby* or node or bun or php* or lua* or 
    tee or dd or 
    nc or ncat or netcat or socat or 
    openssl or ssh or sftp or 
    busybox or jq or yq or 
    strings or xargs or sed or awk or grep or find or 
    .*
  ) or 
  process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /run/*) or 
  (process.name:(sh or bash or zsh or dash or fish or ksh) and process.args:("-c" or "-i"))
) and 
file.path:(
  "/var/run/secrets/kubernetes.io/serviceaccount/token" or
  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" or 
  "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" or
  "/var/run/secrets/azure/tokens/azure-identity-token" or
  "/var/run/secrets/tokens/azure-identity-token" or
  "/var/lib/kubelet/kubeconfig" or
  "/etc/kubernetes/admin.conf" or
  "/etc/kubernetes/pki/ca.key" or 
  "/etc/kubernetes/pki/apiserver-kubelet-client.key" or 
  "/var/lib/kubelet/pki/kubelet-client-current.pem" or 
  "/etc/rancher/k3s/k3s.yaml" or 
  "/etc/shadow" or
  "/root/.ssh/id_rsa" or
  "/root/.ssh/id_ed25519" or
  "/root/.ssh/id_ecdsa" or
  "/root/.aws/credentials" or
  "/root/.aws/config" or
  "/root/.aws/cli/cache" or
  "/root/.aws/sso/cache" or
  "/root/.azure/accessTokens.json" or
  "/root/.azure/azureProfile.json" or
  "/root/.azure/msal_token_cache.json" or
  "/root/.azure/msal_http_cache.bin" or
  "/root/.config/gcloud/application_default_credentials.json" or
  "/root/.config/gcloud/credentials.db" or
  "/root/.config/gcloud/access_tokens.db" or 
  "/root/.config/gcloud/legacy_credentials" or 
  "/root/.kube/config" or
  "/root/.docker/config.json"
)