Kubernetes Pod Exec Sensitive File or Credential Path Access

This detection identifies Kubernetes pod exec sessions accessing sensitive files or credential paths. The goal is to detect attackers attempting to steal credentials or configuration information from within Kubernetes pods. This often occurs after initial access and may precede lateral movement, privilege escalation, or data exfiltration. The detection focuses on command lines that reference paths related to service account tokens, kubelet configuration, host identity stores, common private keys, keystore extensions, process environment dumps, and configuration files with embedded secrets. The rule is designed to catch both interactive and scripted access, and includes exclusions for benign reads of resolv.conf.

Attack Chain

1. Attacker gains initial access to a Kubernetes cluster, potentially through a compromised application or misconfigured service.
2. Attacker uses kubectl exec or similar tools to execute commands within a pod.
3. The executed command attempts to read sensitive files or directories within the pod’s filesystem, such as /var/run/secrets/kubernetes.io/serviceaccount/token to obtain the pod’s service account token.
4. The command may also target host-level files if the pod has hostPath mounts or runs in a privileged context, like /etc/shadow or /etc/passwd for credential access.
5. The attacker may attempt to dump process environments via /proc/<pid>/environ to extract sensitive information stored as environment variables.
6. The attacker leverages obtained credentials or configuration to move laterally to other pods or nodes within the cluster.
7. The attacker escalates privileges within the cluster by abusing stolen service account tokens or node credentials.
8. The final objective is to exfiltrate sensitive data, deploy malicious workloads, or disrupt services within the Kubernetes environment.

Impact

A successful attack can lead to the compromise of sensitive data, including credentials, configuration files, and application secrets. This can enable attackers to move laterally within the Kubernetes cluster, escalate privileges, and potentially gain control over the entire environment. The severity of the impact depends on the sensitivity of the data exposed and the level of access achieved by the attacker.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect sensitive file access within Kubernetes pod exec sessions.
• Investigate any alerts triggered by the Sigma rule, focusing on the Esql.access_type field to prioritize incidents.
• Review and tighten RBAC permissions for pod exec to limit access to authorized users and service accounts.
• Implement admission controls to prevent pods from running in privileged mode or using hostPath mounts unless absolutely necessary.
• Monitor Kubernetes audit logs for suspicious kubectl exec activity, including unusual command lines or access patterns.
• Regularly rotate Kubernetes service account tokens and other sensitive credentials to minimize the impact of potential breaches.
• Use the provided Kubernetes audit log query to proactively search for historical instances of sensitive file access.