Detect Container API in Google Chronicle
Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.007 Container API
- Canonical reference
- https://attack.mitre.org/techniques/T1552/007/
YARA-L Detection Query
rule container_api_credential_access {
meta:
author = "Argus Detection Engineering"
description = "Detects T1552.007 — credential access via Docker and Kubernetes container APIs, including kubectl secret enumeration, Docker CLI credential extraction, docker.sock unauthorized access, and Kubernetes API secret reads."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1552.007"
mitre_attack_subtechnique = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"
events:
(
// Pattern 1: kubectl targeting secrets, service accounts, configmaps
$kubectl_event.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($kubectl_event.target.process.file.full_path, `(^|/)kubectl$`)
and (
re.regex($kubectl_event.target.process.command_line, `kubectl\s+(get|describe|edit|patch)\s+(secret|secrets|sa|serviceaccount|serviceaccounts|configmap|configmaps)`)
or re.regex($kubectl_event.target.process.command_line, `kubectl\s+exec\s+`)
or re.regex($kubectl_event.target.process.command_line, `kubectl\s+logs\s+`)
or re.regex($kubectl_event.target.process.command_line, `kubectl\s+get\s+pods\s+-o`)
)
)
or (
// Pattern 2: Docker CLI credential extraction
$docker_event.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($docker_event.target.process.file.full_path, `(^|/)docker$`)
and re.regex($docker_event.target.process.command_line, `docker\s+(inspect|logs|exec|env|cp|run)`)
and re.regex($docker_event.target.process.command_line, `(pass|secret|token|credential|key|aws|gcp|azure)`)
)
or (
// Pattern 3: Unauthorized docker.sock access
$sock_event.metadata.event_type = "FILE_OPEN"
and $sock_event.target.file.full_path = "/var/run/docker.sock"
and not re.regex($sock_event.principal.process.file.full_path, `(^|/)(dockerd|containerd|docker-proxy|docker|moby|cri-dockerd)$`)
)
or (
// Pattern 4: Kubernetes API audit — secret enumeration
$k8s_event.metadata.event_type = "RESOURCE_READ"
and $k8s_event.metadata.product_name = "Kubernetes"
and $k8s_event.target.resource.type = "secrets"
and $k8s_event.network.http.method = "GET"
and not re.regex($k8s_event.principal.user.userid, `^system:(serviceaccount:kube-system:|node:)`)
)
condition:
$kubectl_event or $docker_event or $sock_event or $k8s_event
}Chronicle YARA-L 2.0 rule detecting T1552.007 container API credential access across four behavioral patterns using UDM: kubectl secret/serviceaccount enumeration via process command line analysis, Docker CLI subcommands used for credential extraction, unauthorized process access to the Docker Unix socket, and Kubernetes API server audit events capturing secret reads from non-system principals.
Data Sources
Required Tables
False Positives & Tuning
- Vault Agent injectors or External Secrets Operators running inside Kubernetes that legitimately GET secrets from the API server to inject them into pod environments
- Docker-in-Docker (DinD) CI/CD builds where the inner Docker daemon accesses the outer docker.sock through a bind mount, appearing as unauthorized access
- Security operations teams running Peirates, kube-hunter, or similar audit tools against their own clusters as part of authorized red team or vulnerability assessment exercises
Other platforms for T1552.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List All Kubernetes Secrets with kubectl
Expected signal: Linux auditd EXECVE for kubectl with 'get secrets' args. Kubernetes API audit log: GET/LIST verb on 'secrets' resource by the calling user. Network connection to Kubernetes API server (typically port 6443).
- Test 2Access Docker Container Environment Variables
Expected signal: Linux auditd EXECVE for docker with 'ps' and 'inspect' commands. Docker daemon interaction via /var/run/docker.sock. Process chain: bash -> docker ps -> xargs -> docker inspect.
- Test 3Read Kubernetes Service Account Token
Expected signal: Linux auditd OPEN syscall for /var/run/secrets/kubernetes.io/serviceaccount/token. EXECVE for cat command. Token content is a JWT that can be decoded to reveal the service account identity.
- Test 4Access Exposed Docker API
Expected signal: Linux auditd EXECVE for curl with localhost:2375 (Docker TCP port). Network connection to 127.0.0.1:2375. If Docker TCP API is exposed on 0.0.0.0:2375, this represents a critical misconfiguration.
References (8)
- https://attack.mitre.org/techniques/T1552/007/
- https://docs.docker.com/engine/api/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://github.com/inguardians/peirates
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
- https://falco.org/docs/
Unlock Pro Content
Get the full detection package for T1552.007 including response playbook, investigation guide, and atomic red team tests.