Kubectl Secrets Enumeration Across All Namespaces
The use of `kubectl get secrets --all-namespaces` command is detected, which enumerates secret resources across the entire Kubernetes cluster, potentially aiding credential discovery, privilege escalation, or lateral movement.
The threat involves the execution of the kubectl get secrets --all-namespaces command within a Kubernetes environment. This command allows a user to enumerate secret resources across all namespaces in the cluster. Attackers often use this command to identify accessible secrets, which can then be leveraged for credential discovery, privilege escalation, or lateral movement within the cluster. The rule detects the execution of kubectl commands which are querying for secrets across all namespaces. The scope of this activity targets Kubernetes environments running on Linux or macOS. Successful exploitation can lead to unauthorized access to sensitive information stored as Kubernetes secrets.
Attack Chain
- An attacker gains initial access to a compromised host within the Kubernetes cluster.
- The attacker uses
kubectlto interact with the Kubernetes API. - The attacker executes the command
kubectl get secrets --all-namespacesorkubectl get secrets -Ato list all secrets across all namespaces. - The
kubectlcommand queries the Kubernetes API server for secret resources. - The API server responds with a list of secrets, including their names, namespaces, and other metadata.
- The attacker analyzes the output to identify secrets that contain valuable credentials or configuration data.
- The attacker attempts to access identified secrets to extract sensitive information.
- The attacker uses the extracted credentials to escalate privileges, move laterally, or compromise other resources within the cluster.
Impact
A successful attack can lead to the exposure of sensitive information stored in Kubernetes secrets, such as API keys, passwords, and certificates. This exposed information can be used to compromise other applications and services running within the cluster or to gain unauthorized access to external resources. The severity depends on the sensitivity of the exposed secrets and the scope of access they provide. There is no specified victim count or sector targeted in the source.
Recommendation
- Deploy the Sigma rule
Detect Kubectl Secrets Enumerationto your SIEM and tune for your environment to detect the specific command execution. - Monitor process execution logs for
kubectlcommands with arguments like--all-namespacesor-Ato identify potential secret enumeration attempts. - Implement proper RBAC (Role-Based Access Control) policies to restrict access to secrets and limit the ability of users and service accounts to list secrets across all namespaces.
- Review Kubernetes audit logs and API activity as described in the rule's triage notes to determine whether any listed secrets were subsequently read, exported, or abused.
Detection coverage 2
Detect Kubectl Secrets Enumeration
mediumDetects the execution of `kubectl get secrets --all-namespaces` or `kubectl get secrets -A` command to enumerate secrets across all namespaces.
Detect Kubectl Describe Secrets All Namespaces
mediumDetects the execution of `kubectl describe secrets --all-namespaces` or `kubectl describe secrets -A` command to describe secrets across all namespaces.
Detection queries are available on the platform. Get full rules →