title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
- https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
- attack.execution
- attack.discovery
- attack.t1609
- attack.t1613
logsource:
product: kubernetes
service: audit
detection:
selection_status:
responseStatus.code: 'ALLOW'
selection_request_uri:
requestURI|contains:
# Shells Encoded
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
# Shells Plain
- '/bin/ash'
- '/bin/bash'
- '/bin/busybox'
- '/bin/dash'
- '/bin/sh'
- '/bin/zsh'
# Tools Encoded
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
# Tools Plain
- '/usr/bin/curl'
- '/usr/bin/kubectl'
- '/usr/bin/perl'
- '/usr/bin/python'
- '/usr/bin/wget'
selection_request_user_agent:
userAgent|contains:
- 'access_matrix' # Rakkess
- 'trufflehog' # Secret scanning tool
- 'azurehound' # Azure/Cloud discovery
- 'micro-scanner' # Vulnerability scanning
condition: selection_status and 1 of selection_request_*
falsepositives:
- Authorized administrative maintenance via kubectl
- Automated internal infrastructure monitoring and certificate rotation
- Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium
title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.subresource: 'exec'
condition: selection
falsepositives:
- Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium
title: Potential Sidecar Injection Into Running Deployment
id: ad9012a6-e518-4432-9890-f3b82b8fc71f
status: test
description: |
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
references:
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'patch'
apiGroup: 'apps'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: medium