Summary
Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or lists under kube-system or default. It leverages Kubernetes audit logs (event.dataset:kubernetes.audit_logs, event.action:list, kubernetes.audit.objectRef.resource:secrets, and specific request URIs) and excludes localhost sources and known system controllers. The rule flags broad secret enumeration, which can precede credential exposure, by comparing source IPs against non-loopback addresses and considering namespace-scoped lists under kube-system/default. It includes triage guidance, investigation steps, and false-positive considerations (e.g., legitimate controllers listing secrets). The mapping to MITRE ATT&CK includes T1552 (Unsecured Credentials) with subtechnique T1552.007 (Container API) and T1613 (Container and Resource Discovery). The rule is a high-severity detection with a risk score of 73, and provides a detailed investigation guide and references for analysts.
Categories
- Kubernetes
Data Sources
- File
ATT&CK Techniques
- T1552
- T1552.007
- T1613
Created: 2026-04-22