{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/k3s/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon EKS","Azure","gcloud","Confluence Data Center","Docker","Kubernetes","K3s"],"_cs_severities":["high"],"_cs_tags":["credential-access","threat-detection","kubernetes","cloud","linux"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google","Atlassian","Docker","Kubernetes","Rancher"],"content_html":"\u003cp\u003eThis detection identifies Linux processes executing commands that include arguments referencing sensitive Kubernetes and cloud credentials. This includes paths to Kubernetes service account tokens, kubeconfigs, node PKI keys, and common cloud configuration files, such as AWS, Azure, and gcloud credentials. The rule focuses on processes using common file-reading utilities (e.g., cat, head, grep) or running from ephemeral directories (/tmp, /var/tmp), which are frequently used by attackers attempting to steal credentials. This behavior often indicates unauthorized access or lateral movement within a compromised environment, and is critical for detecting in-cluster and hybrid cloud credential theft early in the attack lifecycle.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised Linux system, possibly through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate accessible resources and identify potential targets, including Kubernetes and cloud credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses common file-reading utilities such as \u003ccode\u003ecat\u003c/code\u003e, \u003ccode\u003ehead\u003c/code\u003e, \u003ccode\u003egrep\u003c/code\u003e, or \u003ccode\u003efind\u003c/code\u003e to locate sensitive files and directories.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands that include arguments referencing well-known paths containing Kubernetes service account tokens, kubeconfigs, or cloud provider credentials (AWS, Azure, gcloud).\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move these files to a temporary directory such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials using tools like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003escp\u003c/code\u003e, or \u003ccode\u003ersync\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access sensitive Kubernetes resources, cloud services, or other internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to further expand their access and control within the environment, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive Kubernetes resources, cloud services, and internal systems. This can result in data breaches, service disruptions, and further lateral movement within the compromised environment. The compromised credentials can be used to create new resources, modify existing configurations, or access sensitive data stored in the cloud. This can have significant financial and reputational damage to the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u003cstrong\u003eElastic Defend\u003c/strong\u003e and/or \u003cstrong\u003eAuditd Manager\u003c/strong\u003e process telemetry (\u003ccode\u003elogs-endpoint.events.process*\u003c/code\u003e, \u003ccode\u003elogs-auditd_manager.auditd-*\u003c/code\u003e, \u003ccode\u003eauditbeat-*\u003c/code\u003e) with command-line argument capture for exec events as described in the rule setup.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes and Cloud Credential Path Access via Process Arguments\u003c/code\u003e to your SIEM and tune for your environment, paying close attention to the \u003ccode\u003efalse_positives\u003c/code\u003e noted in the rule to avoid alert fatigue.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rule by filtering specific parent processes, images, or automation identities that legitimately access the mentioned paths, as suggested in the \u003ccode\u003efalse_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview RBAC and secret mount policies for Kubernetes workloads to minimize the potential impact of credential theft, referencing the recommendations in the rule \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T10:10:27Z","date_published":"2026-06-01T10:10:27Z","id":"https://feed.craftedsignal.io/briefs/2026-06-kubernetes-cloud-credential-access/","summary":"This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.","title":"Kubernetes and Cloud Credential Path Access via Process Arguments","url":"https://feed.craftedsignal.io/briefs/2026-06-kubernetes-cloud-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed — K3s","version":"https://jsonfeed.org/version/1.1"}