Gcloud

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.