Kubernetes and Cloud Credential Path Access via Process Arguments

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Kubernetes and Cloud Credential Path Access via Process Arguments

Flags Linux process executions whose arguments reference high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud and SSH credential files, when invoked via typical file-reading utilities or from ephemeral directories. Useful for spotting in-cluster and hybrid credential theft early.

Rule type: query

Rule indices:

auditbeat-*
logs-auditd_manager.auditd-*
logs-endpoint.events.process*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Data Source: Auditd Manager
Data Source: Elastic Defend
Domain: Endpoint
Domain: Kubernetes
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Kubernetes and Cloud Credential Path Access via Process Arguments

Confirm whether the process user and parent chain are expected to read the matched path (for example a CI job, bootstrap script, or kubelet). Reconstruct the full command line and check for piping, encoding, or exfiltration patterns immediately after the read.

Possible investigation steps

Map the workload or login session to an identity; prioritize events from nodes, jump hosts, or pods with mounted service account tokens.
Correlate with file, network, and Kubernetes audit telemetry for secret reads, token minting, or API calls using harvested material.

Response and remediation

Rotate affected service account tokens, kubeconfigs, and cloud keys when access was unauthorized; review RBAC and secret mount policy for the workload.

Setup

edit

Setup

Requires Elastic Defend and/or Auditd Manager process telemetry (logs-endpoint.events.process*, logs-auditd_manager.auditd-*, auditbeat-*) with command-line argument capture for exec events.

Elastic Defend

Install the Elastic Defend integration via Fleet on Linux hosts and use a policy that collects process events with arguments.

Auditd Manager

Deploy Auditd Manager and ensure execve (or equivalent process) auditing is enabled so process.args and process.executable populate for monitored binaries.

See https://docs.elastic.co/integrations/auditd_manager

Rule query

edit

host.os.type:linux and event.category:process and event.action:(exec or executed) and
(
  process.name:(
    busybox or cat or head or tail or more or less or sed or awk or
    find or grep or ls or whereis or cp or mv or ln or
    curl or wget or scp or rsync or tar or zip or gzip or
    base64 or xxd or od or dd or tee or strings or xargs or jq or yq or
    openssl or ssh or sftp or nc or ncat or netcat or socat or
    python* or perl* or ruby* or node or php* or lua* or .*
  ) or
  process.args:(
    cat or head or tail or more or less or sed or awk or
    find or grep or cp or mv or curl or wget or base64 or
    tar or scp or dd or strings or xargs
  ) or
  process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*)
) and process.args:(
  "/var/run/secrets/kubernetes.io/serviceaccount/token" or
  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" or
  "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" or
  "/var/run/secrets/azure/tokens/azure-identity-token" or
  "/var/run/secrets/tokens/azure-identity-token" or
  "/var/lib/kubelet/kubeconfig" or
  "/etc/kubernetes/admin.conf" or
  "/etc/kubernetes/pki/ca.key" or
  "/etc/kubernetes/pki/apiserver-kubelet-client.key" or
  "/var/lib/kubelet/pki/kubelet-client-current.pem" or
  "/etc/rancher/k3s/k3s.yaml" or
  "/etc/shadow" or
  */.ssh/id_rsa or
  */root/.ssh/id_ed25519 or
  */.ssh/id_ecdsa or
  */.aws/credentials or
  */.aws/cli/cache/*.json or
  */.aws/sso/cache/*.json or
  */.azure/accessTokens.json or
  */.azure/azureProfile.json or
  */.azure/msal_token_cache.json or
  */.config/gcloud/application_default_credentials.json or
  */.config/gcloud/credentials.db or
  */.config/gcloud/access_tokens.db or
  */.config/gcloud/legacy_credentials or
  */.kube/config or
  */.docker/config.json
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/
Technique:
- Name: Steal Application Access Token
- ID: T1528
- Reference URL: https://attack.mitre.org/techniques/T1528/

« Kubernetes User Exec into Pod LSASS Memory Dump Creation »