{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/eks.amazonaws.com/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","auditbeat-*","eks.amazonaws.com","Azure","gcloud"],"_cs_severities":["high"],"_cs_tags":["credential-access","kubernetes","cloud","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis detection rule identifies Linux processes that access sensitive credential files for Kubernetes, cloud services (AWS, Azure, Google Cloud), and SSH. The rule focuses on processes that use common file-reading utilities (e.g., \u003ccode\u003ecat\u003c/code\u003e, \u003ccode\u003egrep\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e) or execute from ephemeral directories like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e. The intent is to detect potential credential theft attempts within containerized environments or on systems that manage cloud resources, where attackers may try to harvest service account tokens, API keys, or SSH private keys. The rule is based on the detection logic from Elastic\u0026rsquo;s detection-rules repository as of April 2026 and aims to identify unauthorized access to sensitive credential locations. Defenders should be aware of processes running with elevated privileges or unexpected parent processes that access these files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system or container.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential credential storage locations for Kubernetes, cloud providers, or SSH keys (e.g., \u003ccode\u003e/var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e, \u003ccode\u003e~/.aws/credentials\u003c/code\u003e, \u003ccode\u003e~/.ssh/id_rsa\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses common file-reading utilities like \u003ccode\u003ecat\u003c/code\u003e, \u003ccode\u003ehead\u003c/code\u003e, \u003ccode\u003etail\u003c/code\u003e, or \u003ccode\u003egrep\u003c/code\u003e to access the credential files.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may use network tools like \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to exfiltrate the data.\u003c/li\u003e\n\u003cli\u003eThe attacker may also use encoding or obfuscation techniques like \u003ccode\u003ebase64\u003c/code\u003e to hide the contents of the files.\u003c/li\u003e\n\u003cli\u003eThe attacker stages or exfiltrates the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to Kubernetes resources, cloud services, or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise of Kubernetes service account tokens, cloud provider API keys, or SSH private keys can lead to unauthorized access to sensitive data, privilege escalation, and lateral movement within the compromised environment. Successful credential theft can enable attackers to deploy malicious workloads, modify configurations, or steal sensitive data. In cloud environments, this could result in data breaches, resource hijacking, or service disruption. The impact is significant due to the potential for widespread access and control over critical infrastructure and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u003cstrong\u003eElastic Defend\u003c/strong\u003e or \u003cstrong\u003eAuditd Manager\u003c/strong\u003e with command-line argument capture to collect the necessary process telemetry, as outlined in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Kubernetes and Cloud Credential Path Access via Process Arguments\u0026rdquo; to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes with unexpected parent processes or running with elevated privileges.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles for service accounts and cloud IAM roles to limit the impact of potential credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor file access events on critical credential storage locations to detect suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubernetes-cloud-credential-access/","summary":"This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.","title":"Kubernetes and Cloud Credential Path Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-cloud-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Eks.amazonaws.com","version":"https://jsonfeed.org/version/1.1"}