Kubernetes and Cloud Credential Path Access via Process Arguments

This detection rule identifies Linux processes that access sensitive credential files for Kubernetes, cloud services (AWS, Azure, Google Cloud), and SSH. The rule focuses on processes that use common file-reading utilities (e.g., cat, grep, curl) or execute from ephemeral directories like /tmp or /dev/shm. The intent is to detect potential credential theft attempts within containerized environments or on systems that manage cloud resources, where attackers may try to harvest service account tokens, API keys, or SSH private keys. The rule is based on the detection logic from Elastic’s detection-rules repository as of April 2026 and aims to identify unauthorized access to sensitive credential locations. Defenders should be aware of processes running with elevated privileges or unexpected parent processes that access these files.

Attack Chain

1. An attacker gains initial access to a Linux system or container.
2. The attacker identifies potential credential storage locations for Kubernetes, cloud providers, or SSH keys (e.g., /var/run/secrets/kubernetes.io/serviceaccount/token, ~/.aws/credentials, ~/.ssh/id_rsa).
3. The attacker uses common file-reading utilities like cat, head, tail, or grep to access the credential files.
4. Alternatively, the attacker may use network tools like curl or wget to exfiltrate the data.
5. The attacker may also use encoding or obfuscation techniques like base64 to hide the contents of the files.
6. The attacker stages or exfiltrates the stolen credentials.
7. The attacker uses the stolen credentials to gain unauthorized access to Kubernetes resources, cloud services, or other systems.

Impact

Compromise of Kubernetes service account tokens, cloud provider API keys, or SSH private keys can lead to unauthorized access to sensitive data, privilege escalation, and lateral movement within the compromised environment. Successful credential theft can enable attackers to deploy malicious workloads, modify configurations, or steal sensitive data. In cloud environments, this could result in data breaches, resource hijacking, or service disruption. The impact is significant due to the potential for widespread access and control over critical infrastructure and data.

Recommendation

• Enable Elastic Defend or Auditd Manager with command-line argument capture to collect the necessary process telemetry, as outlined in the setup instructions.
• Deploy the Sigma rule “Kubernetes and Cloud Credential Path Access via Process Arguments” to your SIEM and tune for your environment to reduce false positives.
• Investigate any alerts generated by the Sigma rule, focusing on processes with unexpected parent processes or running with elevated privileges.
• Implement least privilege principles for service accounts and cloud IAM roles to limit the impact of potential credential compromise.
• Monitor file access events on critical credential storage locations to detect suspicious activity.