EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Kubernetes Potential Enumeration Activity

Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.

MITRE ATT&CK

T1609T1613
executiondiscovery

Detection Query

selection_status:
  responseStatus.code: ALLOW
selection_request_uri:
  requestURI|contains:
    - "%2fbin%2fash"
    - "%2fbin%2fbash"
    - "%2fbin%2fbusybox"
    - "%2fbin%2fdash"
    - "%2fbin%2fsh"
    - "%2fbin%2fzsh"
    - /bin/ash
    - /bin/bash
    - /bin/busybox
    - /bin/dash
    - /bin/sh
    - /bin/zsh
    - "%2fusr%2fbin%2fcurl"
    - "%2fusr%2fbin%2fkubectl"
    - "%2fusr%2fbin%2fperl"
    - "%2fusr%2fbin%2fpython"
    - "%2fusr%2fbin%2fwget"
    - /usr/bin/curl
    - /usr/bin/kubectl
    - /usr/bin/perl
    - /usr/bin/python
    - /usr/bin/wget
selection_request_user_agent:
  userAgent|contains:
    - access_matrix
    - trufflehog
    - azurehound
    - micro-scanner
condition: selection_status and 1 of selection_request_*

Author

uniqu3-us3r

Created

2026-04-28

Data Sources

kubernetesaudit

Platforms

kubernetes

References

Tags

attack.executionattack.discoveryattack.t1609attack.t1613
Raw Content
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
    Detects potential Kubernetes enumeration or attack activity via the audit log.
    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
    - https://github.com/trufflesecurity/trufflehog
    - https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
    - attack.execution
    - attack.discovery
    - attack.t1609
    - attack.t1613
logsource:
    product: kubernetes
    service: audit
detection:
    selection_status:
        responseStatus.code: 'ALLOW'
    selection_request_uri:
        requestURI|contains:
            # Shells Encoded
            - '%2fbin%2fash'
            - '%2fbin%2fbash'
            - '%2fbin%2fbusybox'
            - '%2fbin%2fdash'
            - '%2fbin%2fsh'
            - '%2fbin%2fzsh'
            # Shells Plain
            - '/bin/ash'
            - '/bin/bash'
            - '/bin/busybox'
            - '/bin/dash'
            - '/bin/sh'
            - '/bin/zsh'
            # Tools Encoded
            - '%2fusr%2fbin%2fcurl'
            - '%2fusr%2fbin%2fkubectl'
            - '%2fusr%2fbin%2fperl'
            - '%2fusr%2fbin%2fpython'
            - '%2fusr%2fbin%2fwget'
            # Tools Plain
            - '/usr/bin/curl'
            - '/usr/bin/kubectl'
            - '/usr/bin/perl'
            - '/usr/bin/python'
            - '/usr/bin/wget'
    selection_request_user_agent:
        userAgent|contains:
            - 'access_matrix'  # Rakkess
            - 'trufflehog'     # Secret scanning tool
            - 'azurehound'     # Azure/Cloud discovery
            - 'micro-scanner'  # Vulnerability scanning
    condition: selection_status and 1 of selection_request_*
falsepositives:
    - Authorized administrative maintenance via kubectl
    - Automated internal infrastructure monitoring and certificate rotation
    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium