Kubernetes Rapid Secret GET Activity Against Multiple Objects

This detection rule identifies suspicious activity within Kubernetes environments where a single client fingerprint (defined by user, source IP, and user agent) rapidly retrieves multiple distinct Secret objects via the Kubernetes API. The rule focuses on detecting potential credential access or in-cluster reconnaissance attempts. The activity may involve successful and failed GET requests, where failed requests may reveal information about RBAC boundaries or confirm the existence of targeted secrets. This activity can indicate that an attacker is attempting to enumerate and retrieve sensitive data such as service account tokens, registry credentials, TLS material, or application configuration. The rule excludes common sources such as the kube-controller-manager and kube-scheduler.

Attack Chain

1. An attacker gains initial access to a Kubernetes cluster, potentially by exploiting a vulnerability or compromising a service account.
2. The attacker uses the compromised credentials to authenticate to the Kubernetes API.
3. The attacker sends a series of GET requests to the Kubernetes API, targeting Secret objects.
4. The API server authenticates and authorizes the requests based on the attacker’s permissions and RBAC configurations.
5. Successful GET requests return the contents of the Secret objects.
6. Failed GET requests may reveal RBAC restrictions, namespace details, or secret existence.
7. The attacker analyzes the retrieved Secrets or error messages to gather sensitive information like credentials or configuration details.
8. The attacker uses the gathered information to further compromise the cluster or exfiltrate data.

Impact

A successful attack can lead to the compromise of sensitive data stored within Kubernetes Secrets, such as service account tokens, registry credentials, TLS keys, and application configuration. This can result in privilege escalation, lateral movement, and data exfiltration. The rule aims to detect unauthorized access to these resources, preventing attackers from gaining access to critical infrastructure and data. If successful, the attackers could also potentially gain access to connected cloud resources via exposed credentials.

Recommendation

• Deploy the Sigma rule Kubernetes Rapid Secret GET Activity to your SIEM and tune for your environment.
• Investigate any alerts generated by the Kubernetes Rapid Secret GET Activity Sigma rule, focusing on the Esql.outcome field to determine the success or failure of the requests.
• Review RBAC configurations for the identified user accounts and source IPs to identify overly permissive access controls using user.name, source.ip, and Esql.namespaces.
• Monitor Kubernetes audit logs for unusual API activity, specifically targeting GET requests to Secret objects using kubernetes.audit.objectRef.resource == "secrets" as a filter.
• Implement network segmentation to limit the blast radius of compromised accounts, using source.ip to track connections.