operators may use ad hoc http clients, scripts, or penetration-test images during approved exercises or break-glass maintenance; validate tickets, source ip, and identity before treating as compromise.

t1552
kubernetes
elastic

Techniques

T1552

Sample rules

Kubernetes Secret get or list with Suspicious User Agent

source: elastic
technicques:
- T1552

Description

Detects read access to Kubernetes Secrets (get/list) with a user agent matching a curated set of non-standard or attacker-leaning clients, for example minimal HTTP tooling, common scripting stacks, default library fingerprints, or distribution-tagged strings associated with offensive-security Linux images. Legitimate in-cluster automation usually presents stable, purpose-specific user agents (for example controller or client-go variants used by known components).

Detection logic

data_stream.dataset:"kubernetes.audit_logs" and
event.action:(get or list) and
kubernetes.audit.objectRef.resource:"secrets" and
user_agent.original:(curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64 or *kali-arm64*) and
source.ip:*