-
Notifications
You must be signed in to change notification settings - Fork 674
[New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces #5966
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
ff24aa9
[New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces
Samirbous 6b50f1e
Merge branch 'main' into k8-list-secrets-all
Samirbous cc5627d
Update credential_access_kubernetes_secrets_list_cluster_and_sensitiv…
Samirbous 7cc6bec
Update credential_access_kubernetes_secrets_list_cluster_and_sensitiv…
Samirbous 8332cd3
Merge branch 'main' into k8-list-secrets-all
Samirbous aa64465
Update rules/integrations/kubernetes/credential_access_kubernetes_sec…
Samirbous 2c9c259
Merge branch 'main' into k8-list-secrets-all
Samirbous 2743e7c
Merge branch 'main' into k8-list-secrets-all
Samirbous 13a724f
Merge branch 'main' into k8-list-secrets-all
Samirbous File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
90 changes: 90 additions & 0 deletions
90
...ubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| [metadata] | ||
| creation_date = "2026/04/22" | ||
| integration = ["kubernetes"] | ||
| maturity = "production" | ||
| updated_date = "2026/04/22" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide | ||
| secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote | ||
| clients. | ||
| """ | ||
| from = "now-6m" | ||
| index = ["logs-kubernetes.audit_logs-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces" | ||
| note = """## Triage and analysis | ||
|
|
||
| ### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces | ||
|
|
||
| Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped | ||
| lists under `kube-system` or `default`, from a source IP that is not localhost. | ||
|
|
||
| ### Investigation steps | ||
|
|
||
| - Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller). | ||
| - Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source. | ||
| - Assess exposure: cluster-wide secret listing can surface many credentials. | ||
|
|
||
| ### False positives | ||
|
|
||
| - Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by | ||
| source IP, user agent, or service account as needed. | ||
| """ | ||
| references = [ | ||
| "https://attack.mitre.org/techniques/T1552/007/", | ||
| ] | ||
| risk_score = 73 | ||
| rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b" | ||
| severity = "high" | ||
| tags = [ | ||
| "Data Source: Kubernetes", | ||
| "Domain: Kubernetes", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Credential Access", | ||
| "Tactic: Discovery", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
| query = ''' | ||
| event.dataset:"kubernetes.audit_logs" and event.action:list and | ||
| kubernetes.audit.objectRef.resource:secrets and | ||
| kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and | ||
|
Samirbous marked this conversation as resolved.
|
||
| source.ip:(* and not ("::1" or "127.0.0.1")) and | ||
| not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1552" | ||
| name = "Unsecured Credentials" | ||
| reference = "https://attack.mitre.org/techniques/T1552/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1552.007" | ||
| name = "Container API" | ||
| reference = "https://attack.mitre.org/techniques/T1552/007/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0006" | ||
| name = "Credential Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0006/" | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1613" | ||
| name = "Container and Resource Discovery" | ||
| reference = "https://attack.mitre.org/techniques/T1613/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0007" | ||
| name = "Discovery" | ||
| reference = "https://attack.mitre.org/tactics/TA0007/" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.