Kubectl Secrets Enumeration Across All Namespaces

About

Tags

Domain: EndpointDomain: ContainerDomain: KubernetesOS: LinuxOS: macOSUse Case: Threat DetectionTactic: DiscoveryTactic: Credential AccessData Source: Elastic DefendData Source: Elastic EndgameData Source: Auditd ManagerData Source: CrowdstrikeData Source: SentinelOneData Source: Elastic Defend for ContainersLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Unsecured Credentials (T1552)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*endgame-*logs-auditd_manager.auditd-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*logs-cloud_defend.process*

Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

cloud_defend(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type in ("linux", "macos") and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "kubectl" and process.args in ("get", "describe") and process.args in ("secret", "secrets") and
process.args in ("--all-namespaces", "-A")