Merge PR #5916 from @uniqu3-us3r - Add Kubernetes Potential Enumeration Activity

new: Kubernetes Potential Enumeration Activity --------- Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-04-27 18:43:10 -04:00
parent 96c0fa6176
commit f0c4235fcb
1 changed files with 64 additions and 0 deletions
@@ -0,0 +1,64 @@
+title: Kubernetes Potential Enumeration Activity
+id: 597a7e84-187d-458b-9e4f-2f5a0e676711
+status: experimental
+description: |
+    Detects potential Kubernetes enumeration or attack activity via the audit log.
+    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
+    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
+references:
+    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
+    - https://github.com/trufflesecurity/trufflehog
+    - https://github.com/corneliusweig/rakkess
+author: uniqu3-us3r
+date: 2026-04-28
+tags:
+    - attack.execution
+    - attack.discovery
+    - attack.t1609
+    - attack.t1613
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection_status:
+        responseStatus.code: 'ALLOW'
+    selection_request_uri:
+        requestURI|contains:
+            # Shells Encoded
+            - '%2fbin%2fash'
+            - '%2fbin%2fbash'
+            - '%2fbin%2fbusybox'
+            - '%2fbin%2fdash'
+            - '%2fbin%2fsh'
+            - '%2fbin%2fzsh'
+            # Shells Plain
+            - '/bin/ash'
+            - '/bin/bash'
+            - '/bin/busybox'
+            - '/bin/dash'
+            - '/bin/sh'
+            - '/bin/zsh'
+            # Tools Encoded
+            - '%2fusr%2fbin%2fcurl'
+            - '%2fusr%2fbin%2fkubectl'
+            - '%2fusr%2fbin%2fperl'
+            - '%2fusr%2fbin%2fpython'
+            - '%2fusr%2fbin%2fwget'
+            # Tools Plain
+            - '/usr/bin/curl'
+            - '/usr/bin/kubectl'
+            - '/usr/bin/perl'
+            - '/usr/bin/python'
+            - '/usr/bin/wget'
+    selection_request_user_agent:
+        userAgent|contains:
+            - 'access_matrix'  # Rakkess
+            - 'trufflehog'     # Secret scanning tool
+            - 'azurehound'     # Azure/Cloud discovery
+            - 'micro-scanner'  # Vulnerability scanning
+    condition: selection_status and 1 of selection_request_*
+falsepositives:
+    - Authorized administrative maintenance via kubectl
+    - Automated internal infrastructure monitoring and certificate rotation
+    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
+level: medium