Kubernetes Secret Abuse by Unusual User
An unusual username is accessing Kubernetes secrets, potentially leading to unauthorized access and data exfiltration.
This detection identifies unauthorized access or misuse of Kubernetes Secrets by unusual user names. It leverages Kubernetes Audit logs to identify anomalies in access patterns by analyzing the source of requests based on user names. Kubernetes Secrets store sensitive information like passwords, OAuth tokens, and SSH keys, making them critical assets within a Kubernetes environment. This activity is significant because successful exploitation could lead to unauthorized access to sensitive systems or data, potentially resulting in significant security breaches and exfiltration of sensitive information. The detection logic operates by identifying 'get' requests for secrets originating from usernames that deviate from an established baseline of allowed or expected users.
Attack Chain
- Attacker gains initial access to a system or service with Kubernetes API access.
- Attacker authenticates to the Kubernetes API using compromised credentials or exploiting a vulnerability.
- Attacker attempts to enumerate available secrets using
kubectl get secrets --all-namespacesor a similar command, generating audit logs withverb=listorverb=get. - Attacker identifies a target secret containing sensitive information (e.g., database credentials, API keys).
- Attacker attempts to retrieve the target secret using
kubectl get secret <secret-name> -n <namespace>or a direct API call, generating an audit log withverb=getand the target secret name inobjectRef.name. - The Kubernetes Audit logs record the request, including the username (
user.username), source IP address (sourceIPs{}), and the resource being accessed (objectRef.resource=secrets). - The detection logic flags the request because the username is not in the allowed list (
kube_allowed_user_names). - Attacker uses the retrieved credentials or API keys to gain unauthorized access to other systems or data, leading to data exfiltration or further compromise.
Impact
Successful exploitation allows attackers to steal sensitive data stored within Kubernetes secrets, such as credentials, API keys, and certificates. This can lead to unauthorized access to databases, applications, and other systems, resulting in data breaches, service disruption, and potential financial loss. The impact is high due to the sensitive nature of secrets and their potential for widespread damage.
Recommendation
- Enable Kubernetes audit logging and configure the audit policy to capture API requests, as described in the detection configuration notes in the brief.
- Deploy the Sigma rule to your SIEM to detect unauthorized access to Kubernetes secrets by unusual user names and tune for your environment.
- Investigate any alerts generated by the Sigma rule to determine the legitimacy of the access and take appropriate remediation steps.
- Review and update the
kube_allowed_user_namesmacro to ensure it accurately reflects the authorized users in your environment.
Detection coverage 2
Kubernetes Secret Accessed by Unusual User
highDetects access to Kubernetes secrets by a username not in the allowed list.
Kubernetes Secret Enumeration by Unusual User
mediumDetects enumeration of Kubernetes secrets (list operation) by a username not in the allowed list.
Detection queries are available on the platform. Get full rules →