Skip to content
Threat Feed
high advisory

Kubernetes Secret Abuse by Unusual User

An unusual username is accessing Kubernetes secrets, potentially leading to unauthorized access and data exfiltration.

This detection identifies unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets within a Kubernetes environment. This activity is significant because successful exploitation could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information. The detection logic operates by identifying 'get' requests for secrets originating from usernames that deviate from an established baseline of allowed or expected users.

Attack Chain

  1. Attacker gains initial access to a system or service with Kubernetes API access.
  2. Attacker authenticates to the Kubernetes API using compromised credentials or exploiting a vulnerability.
  3. Attacker attempts to enumerate available secrets using kubectl get secrets --all-namespaces or a similar command, generating audit logs with verb=list or verb=get.
  4. Attacker identifies a target secret containing sensitive information (e.g., database credentials, API keys).
  5. Attacker attempts to retrieve the target secret using kubectl get secret <secret-name> -n <namespace> or a direct API call, generating an audit log with verb=get and the target secret name in objectRef.name.
  6. The Kubernetes Audit logs record the request, including the username (user.username), source IP address (sourceIPs{}), and the resource being accessed (objectRef.resource=secrets).
  7. The detection logic flags the request because the username is not in the allowed list (kube_allowed_user_names).
  8. Attacker uses the retrieved credentials or API keys to gain unauthorized access to other systems or data, leading to data exfiltration or further compromise.

Impact

Successful exploitation allows attackers to steal sensitive data stored within Kubernetes secrets, such as credentials, API keys, and certificates. This can lead to unauthorized access to databases, applications, and other systems, resulting in data breaches, service disruption, and potential financial loss. The impact is high due to the sensitive nature of secrets and their potential for widespread damage.

Recommendation

  • Enable Kubernetes audit logging and configure the audit policy to capture API requests, as described in the detection configuration notes in the brief.
  • Deploy the Sigma rule to your SIEM to detect unauthorized access to Kubernetes secrets by unusual user names and tune for your environment.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the access and take appropriate remediation steps.
  • Review and update the kube_allowed_user_names macro to ensure it accurately reflects the authorized users in your environment.

Detection coverage 2

Kubernetes Secret Accessed by Unusual User

high

Detects access to Kubernetes secrets by a username not in the allowed list.

sigma tactics: credential_access techniques: T1552.007 sources: kubernetes_audit, kubernetes

Kubernetes Secret Enumeration by Unusual User

medium

Detects enumeration of Kubernetes secrets (list operation) by a username not in the allowed list.

sigma tactics: discovery techniques: T1087.004 sources: kubernetes_audit, kubernetes

Detection queries are available on the platform. Get full rules →