From f0c4235fcb41ea654cab7537eb9ec4fe1fef799e Mon Sep 17 00:00:00 2001
From: uniqueuser <48743459+uniqu3-us3r@users.noreply.github.com>
Date: Mon, 27 Apr 2026 18:43:10 -0400
Subject: [PATCH] Merge PR #5916 from @uniqu3-us3r - Add `Kubernetes Potential
 Enumeration Activity`

new: Kubernetes Potential Enumeration Activity

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 ...s_audit_potential_enumeration_activity.yml | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 rules/application/kubernetes/audit/kubernetes_audit_potential_enumeration_activity.yml

diff --git a/rules/application/kubernetes/audit/kubernetes_audit_potential_enumeration_activity.yml b/rules/application/kubernetes/audit/kubernetes_audit_potential_enumeration_activity.yml
new file mode 100644
index 000000000..c7a743389
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_potential_enumeration_activity.yml
@@ -0,0 +1,64 @@
+title: Kubernetes Potential Enumeration Activity
+id: 597a7e84-187d-458b-9e4f-2f5a0e676711
+status: experimental
+description: |
+    Detects potential Kubernetes enumeration or attack activity via the audit log.
+    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
+    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
+references:
+    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
+    - https://github.com/trufflesecurity/trufflehog
+    - https://github.com/corneliusweig/rakkess
+author: uniqu3-us3r
+date: 2026-04-28
+tags:
+    - attack.execution
+    - attack.discovery
+    - attack.t1609
+    - attack.t1613
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection_status:
+        responseStatus.code: 'ALLOW'
+    selection_request_uri:
+        requestURI|contains:
+            # Shells Encoded
+            - '%2fbin%2fash'
+            - '%2fbin%2fbash'
+            - '%2fbin%2fbusybox'
+            - '%2fbin%2fdash'
+            - '%2fbin%2fsh'
+            - '%2fbin%2fzsh'
+            # Shells Plain
+            - '/bin/ash'
+            - '/bin/bash'
+            - '/bin/busybox'
+            - '/bin/dash'
+            - '/bin/sh'
+            - '/bin/zsh'
+            # Tools Encoded
+            - '%2fusr%2fbin%2fcurl'
+            - '%2fusr%2fbin%2fkubectl'
+            - '%2fusr%2fbin%2fperl'
+            - '%2fusr%2fbin%2fpython'
+            - '%2fusr%2fbin%2fwget'
+            # Tools Plain
+            - '/usr/bin/curl'
+            - '/usr/bin/kubectl'
+            - '/usr/bin/perl'
+            - '/usr/bin/python'
+            - '/usr/bin/wget'
+    selection_request_user_agent:
+        userAgent|contains:
+            - 'access_matrix'  # Rakkess
+            - 'trufflehog'     # Secret scanning tool
+            - 'azurehound'     # Azure/Cloud discovery
+            - 'micro-scanner'  # Vulnerability scanning
+    condition: selection_status and 1 of selection_request_*
+falsepositives:
+    - Authorized administrative maintenance via kubectl
+    - Automated internal infrastructure monitoring and certificate rotation
+    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
+level: medium