EXPLORE
Sign In
← Back to Explore
elastichighTTP

Kubernetes and Cloud Credential Path Access via Process Arguments

Flags Linux process executions whose arguments reference high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud and SSH credential files, when invoked via typical file-reading utilities or from ephemeral directories. Useful for spotting in-cluster and hybrid credential theft early.

MITRE ATT&CK

T1552T1552.001T1528
credential-access

Detection Query

host.os.type:linux and event.category:process and event.action:(exec or executed) and 
(
  process.name:(
    busybox or cat or head or tail or more or less or sed or awk or 
    find or grep or ls or whereis or cp or mv or ln or
    curl or wget or scp or rsync or tar or zip or gzip or
    base64 or xxd or od or dd or tee or strings or xargs or jq or yq or
    openssl or ssh or sftp or nc or ncat or netcat or socat or
    python* or perl* or ruby* or node or php* or lua* or .*
  ) or
  process.args:(
    cat or head or tail or more or less or sed or awk or 
    find or grep or cp or mv or curl or wget or base64 or 
    tar or scp or dd or strings or xargs
  ) or
  process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*)
) and process.args:(
  "/var/run/secrets/kubernetes.io/serviceaccount/token" or
  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" or
  "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" or
  "/var/run/secrets/azure/tokens/azure-identity-token" or
  "/var/run/secrets/tokens/azure-identity-token" or
  "/var/lib/kubelet/kubeconfig" or
  "/etc/kubernetes/admin.conf" or
  "/etc/kubernetes/pki/ca.key" or
  "/etc/kubernetes/pki/apiserver-kubelet-client.key" or
  "/var/lib/kubelet/pki/kubelet-client-current.pem" or
  "/etc/rancher/k3s/k3s.yaml" or
  "/etc/shadow" or
  */.ssh/id_rsa or
  */root/.ssh/id_ed25519 or
  */.ssh/id_ecdsa or
  */.aws/credentials or
  */.aws/cli/cache/*.json or
  */.aws/sso/cache/*.json or
  */.azure/accessTokens.json or
  */.azure/azureProfile.json or
  */.azure/msal_token_cache.json or
  */.config/gcloud/application_default_credentials.json or
  */.config/gcloud/credentials.db or
  */.config/gcloud/access_tokens.db or
  */.config/gcloud/legacy_credentials or
  */.kube/config or
  */.docker/config.json
)

Author

Elastic

Created

2026/04/29

Data Sources

Auditd ManagerElastic Defendauditbeat-*logs-auditd_manager.auditd-*logs-endpoint.events.process*

References

Tags

Data Source: Auditd ManagerData Source: Elastic DefendDomain: EndpointDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/04/29"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2026/04/29"

[rule]
author = ["Elastic"]
description = """
Flags Linux process executions whose arguments reference high-value Kubernetes service-account material, kubeconfig or
node PKI paths, or common cloud and SSH credential files, when invoked via typical file-reading utilities or from
ephemeral directories. Useful for spotting in-cluster and hybrid credential theft early.
"""
false_positives = [
    """
    Legitimate backup, compliance scanners, or admin scripts that enumerate paths under /home or /var/run/secrets may
    match. Tune by parent process, image, or automation identity.
    """,
]
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes and Cloud Credential Path Access via Process Arguments"
note = """## Triage and analysis

### Investigating Kubernetes and Cloud Credential Path Access via Process Arguments

Confirm whether the process user and parent chain are expected to read the matched path (for example a CI job,
bootstrap script, or kubelet). Reconstruct the full command line and check for piping, encoding, or exfiltration
patterns immediately after the read.

### Possible investigation steps

- Map the workload or login session to an identity; prioritize events from nodes, jump hosts, or pods with mounted
  service account tokens.
- Correlate with file, network, and Kubernetes audit telemetry for secret reads, token minting, or API calls using
  harvested material.

### Response and remediation

- Rotate affected service account tokens, kubeconfigs, and cloud keys when access was unauthorized; review RBAC and
  secret mount policy for the workload.
"""
references = [
    "https://attack.mitre.org/techniques/T1552/",
    "https://kubernetes.io/docs/concepts/security/service-accounts/",
]
risk_score = 73
rule_id = "5f0fff18-f340-444b-9a98-c49ade766ff4"
setup = """## Setup

Requires **Elastic Defend** and/or **Auditd Manager** process telemetry (`logs-endpoint.events.process*`,
`logs-auditd_manager.auditd-*`, `auditbeat-*`) with command-line argument capture for exec events.

### Elastic Defend
Install the Elastic Defend integration via Fleet on Linux hosts and use a policy that collects process events with
arguments.

### Auditd Manager
Deploy Auditd Manager and ensure execve (or equivalent process) auditing is enabled so `process.args` and
`process.executable` populate for monitored binaries.

See https://docs.elastic.co/integrations/auditd_manager
"""
severity = "high"
tags = [
    "Data Source: Auditd Manager",
    "Data Source: Elastic Defend",
    "Domain: Endpoint",
    "Domain: Kubernetes",
    "OS: Linux",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
host.os.type:linux and event.category:process and event.action:(exec or executed) and 
(
  process.name:(
    busybox or cat or head or tail or more or less or sed or awk or 
    find or grep or ls or whereis or cp or mv or ln or
    curl or wget or scp or rsync or tar or zip or gzip or
    base64 or xxd or od or dd or tee or strings or xargs or jq or yq or
    openssl or ssh or sftp or nc or ncat or netcat or socat or
    python* or perl* or ruby* or node or php* or lua* or .*
  ) or
  process.args:(
    cat or head or tail or more or less or sed or awk or 
    find or grep or cp or mv or curl or wget or base64 or 
    tar or scp or dd or strings or xargs
  ) or
  process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*)
) and process.args:(
  "/var/run/secrets/kubernetes.io/serviceaccount/token" or
  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" or
  "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" or
  "/var/run/secrets/azure/tokens/azure-identity-token" or
  "/var/run/secrets/tokens/azure-identity-token" or
  "/var/lib/kubelet/kubeconfig" or
  "/etc/kubernetes/admin.conf" or
  "/etc/kubernetes/pki/ca.key" or
  "/etc/kubernetes/pki/apiserver-kubelet-client.key" or
  "/var/lib/kubelet/pki/kubelet-client-current.pem" or
  "/etc/rancher/k3s/k3s.yaml" or
  "/etc/shadow" or
  */.ssh/id_rsa or
  */root/.ssh/id_ed25519 or
  */.ssh/id_ecdsa or
  */.aws/credentials or
  */.aws/cli/cache/*.json or
  */.aws/sso/cache/*.json or
  */.azure/accessTokens.json or
  */.azure/azureProfile.json or
  */.azure/msal_token_cache.json or
  */.config/gcloud/application_default_credentials.json or
  */.config/gcloud/credentials.db or
  */.config/gcloud/access_tokens.db or
  */.config/gcloud/legacy_credentials or
  */.kube/config or
  */.docker/config.json
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"


[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"