From ff24aa95c9ac0c6cc3ee9dfb9643264274c1f4da Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 22 Apr 2026 18:16:56 +0100 Subject: [PATCH 1/4] [New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces Detects `list` operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or list operations under `kube-system` or `default`. Useful for spotting broad secret enumeration from remote clients. --- ...list_cluster_and_sensitive_namespaces.toml | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml diff --git a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml new file mode 100644 index 00000000000..0e4063f7574 --- /dev/null +++ b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml @@ -0,0 +1,86 @@ +[metadata] +creation_date = "2026/04/22" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/04/22" + +[rule] +author = ["Elastic"] +description = """ +Detects `list` operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide +secrets or list operations under `kube-system` or `default`. Useful for spotting broad secret enumeration from remote +clients. +""" +from = "now-9m" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces" +note = """## Triage and analysis + +### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces + +Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped +lists under `kube-system` or `default`, from a source IP that is not localhost. + +### Investigation steps + +- Confirm the actor (`kubernetes.audit.user.username`, groups) and whether the client is expected (CI, admin bastion, controller). +- Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source. +- Assess exposure: cluster-wide secret listing can surface many credentials. + +### False positives + +- Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by + source IP, user agent, or service account as needed. +""" +references = [ + "https://attack.mitre.org/techniques/T1552/007/", +] +risk_score = 73 +rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b" +severity = "high" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +event.dataset:"kubernetes.audit_logs" and event.action:list and kubernetes.audit.objectRef.resource:secrets and kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and source.ip:(* and not ("::1" or "127.0.0.1")) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" From cc5627d06c5045159500df360e40058b9702aae7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 1 May 2026 10:38:36 +0100 Subject: [PATCH 2/4] Update credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml --- ..._secrets_list_cluster_and_sensitive_namespaces.toml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml index 0e4063f7574..49c3090e5fb 100644 --- a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml +++ b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml @@ -7,8 +7,8 @@ updated_date = "2026/04/22" [rule] author = ["Elastic"] description = """ -Detects `list` operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide -secrets or list operations under `kube-system` or `default`. Useful for spotting broad secret enumeration from remote +Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide +secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote clients. """ from = "now-9m" @@ -51,7 +51,11 @@ tags = [ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:"kubernetes.audit_logs" and event.action:list and kubernetes.audit.objectRef.resource:secrets and kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and source.ip:(* and not ("::1" or "127.0.0.1")) +event.dataset:"kubernetes.audit_logs" and event.action:list and +kubernetes.audit.objectRef.resource:secrets and +kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and +source.ip:(* and not ("::1" or "127.0.0.1")) and +not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) ''' [[rule.threat]] From 7cc6bec483f52076eac3107f39c3bc14cdfe4be9 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 1 May 2026 10:38:57 +0100 Subject: [PATCH 3/4] Update credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml --- ...ubernetes_secrets_list_cluster_and_sensitive_namespaces.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml index 49c3090e5fb..32819f1f6d2 100644 --- a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml +++ b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml @@ -11,7 +11,7 @@ Detects list operations on Kubernetes Secrets from a non-loopback client when th secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote clients. """ -from = "now-9m" +from = "now-6m" index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" From aa6446516a947c422a6f9f36d432dcd51e356718 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Sat, 2 May 2026 10:28:22 +0100 Subject: [PATCH 4/4] Update rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml Co-authored-by: Mika Ayenson, PhD --- ...ubernetes_secrets_list_cluster_and_sensitive_namespaces.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml index 32819f1f6d2..bc3aff2b57f 100644 --- a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml +++ b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml @@ -25,7 +25,7 @@ lists under `kube-system` or `default`, from a source IP that is not localhost. ### Investigation steps -- Confirm the actor (`kubernetes.audit.user.username`, groups) and whether the client is expected (CI, admin bastion, controller). +- Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller). - Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source. - Assess exposure: cluster-wide secret listing can surface many credentials.