Sigma detection rules

Home/Sigma rules

Sigma

1 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

1 shown of 1

medium

Kubernetes Potential Enumeration Activity

Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.

status experimental author uniqu3-us3r id 597a7e84-187d-458b-9e4f-2f5a0e676711

view Sigma YAML

title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
    Detects potential Kubernetes enumeration or attack activity via the audit log.
    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
    - https://github.com/trufflesecurity/trufflehog
    - https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
    - attack.execution
    - attack.discovery
    - attack.t1609
    - attack.t1613
logsource:
    product: kubernetes
    service: audit
detection:
    selection_status:
        responseStatus.code: 'ALLOW'
    selection_request_uri:
        requestURI|contains:
            # Shells Encoded
            - '%2fbin%2fash'
            - '%2fbin%2fbash'
            - '%2fbin%2fbusybox'
            - '%2fbin%2fdash'
            - '%2fbin%2fsh'
            - '%2fbin%2fzsh'
            # Shells Plain
            - '/bin/ash'
            - '/bin/bash'
            - '/bin/busybox'
            - '/bin/dash'
            - '/bin/sh'
            - '/bin/zsh'
            # Tools Encoded
            - '%2fusr%2fbin%2fcurl'
            - '%2fusr%2fbin%2fkubectl'
            - '%2fusr%2fbin%2fperl'
            - '%2fusr%2fbin%2fpython'
            - '%2fusr%2fbin%2fwget'
            # Tools Plain
            - '/usr/bin/curl'
            - '/usr/bin/kubectl'
            - '/usr/bin/perl'
            - '/usr/bin/python'
            - '/usr/bin/wget'
    selection_request_user_agent:
        userAgent|contains:
            - 'access_matrix'  # Rakkess
            - 'trufflehog'     # Secret scanning tool
            - 'azurehound'     # Azure/Cloud discovery
            - 'micro-scanner'  # Vulnerability scanning
    condition: selection_status and 1 of selection_request_*
falsepositives:
    - Authorized administrative maintenance via kubectl
    - Automated internal infrastructure monitoring and certificate rotation
    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium

Showing 1-1 of 1

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin