Detection rules › Sigma
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1609 Container Administration Command |
| Discovery | T1613 Container and Resource Discovery |
Rule body yaml
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
- https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
- attack.execution
- attack.discovery
- attack.t1609
- attack.t1613
logsource:
product: kubernetes
service: audit
detection:
selection_status:
responseStatus.code: 'ALLOW'
selection_request_uri:
requestURI|contains:
# Shells Encoded
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
# Shells Plain
- '/bin/ash'
- '/bin/bash'
- '/bin/busybox'
- '/bin/dash'
- '/bin/sh'
- '/bin/zsh'
# Tools Encoded
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
# Tools Plain
- '/usr/bin/curl'
- '/usr/bin/kubectl'
- '/usr/bin/perl'
- '/usr/bin/python'
- '/usr/bin/wget'
selection_request_user_agent:
userAgent|contains:
- 'access_matrix' # Rakkess
- 'trufflehog' # Secret scanning tool
- 'azurehound' # Azure/Cloud discovery
- 'micro-scanner' # Vulnerability scanning
condition: selection_status and 1 of selection_request_*
falsepositives:
- Authorized administrative maintenance via kubectl
- Automated internal infrastructure monitoring and certificate rotation
- Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium
Stages and Predicates
Stage 0: condition
selection_status and 1 of selection_request_*Stage 1: selection_status
selection_status:
responseStatus.code: 'ALLOW'
Stage 2: selection_request_uri
selection_request_uri:
requestURI|contains:
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/busybox'
- '/bin/dash'
- '/bin/sh'
- '/bin/zsh'
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
- '/usr/bin/curl'
- '/usr/bin/kubectl'
- '/usr/bin/perl'
- '/usr/bin/python'
- '/usr/bin/wget'
Stage 3: selection_request_user_agent
selection_request_user_agent:
userAgent|contains:
- 'access_matrix'
- 'trufflehog'
- 'azurehound'
- 'micro-scanner'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
requestURI | match |
|
responseStatus.code | eq |
|
userAgent | match |
|