T1552.007 Elastic Security · Elastic

Detect Container API in Elastic Security

Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.007 Container API
Canonical reference
https://attack.mitre.org/techniques/T1552/007/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
(
  (
    event.category == "process" and
    process.name in~ ("kubectl", "kubectl.exe") and
    process.args : ("get secrets", "get secret", "describe secret", "describe secrets", "get sa", "get serviceaccount", "get serviceaccounts", "get configmap", "get configmaps", "logs", "exec")
  )
  or
  (
    event.category == "process" and
    process.name in~ ("docker", "docker.exe") and
    process.args : ("inspect", "logs", "env", "exec", "cp", "volume") and
    process.command_line : ("*secret*", "*token*", "*pass*", "*credential*", "*key*", "*inspect*", "*env*", "*docker.sock*")
  )
  or
  (
    event.category == "file" and
    file.path : "*/var/run/docker.sock" and
    not process.name in~ ("dockerd", "containerd", "docker-proxy", "docker", "moby")
  )
)
high severity high confidence

Detects credential access via container APIs by monitoring kubectl commands that retrieve secrets, service accounts, or configmaps; Docker CLI commands targeting sensitive container data (inspect, logs, env, exec); and unexpected process access to the Docker Unix socket (/var/run/docker.sock). Covers both interactive attacker activity and automated tooling like Peirates.

Data Sources

Elastic Endpoint SecurityAuditbeat (Linux process and file events)Kubernetes audit logs via Filebeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*auditbeat-*

False Positives & Tuning

  • Legitimate DevOps engineers or CI/CD pipelines (e.g., Jenkins, GitLab Runner, ArgoCD) using kubectl to inspect secrets as part of normal deployment workflows
  • Container security scanning tools (e.g., Trivy, Falco, Anchore) that directly read /var/run/docker.sock for image and container inspection
  • Kubernetes operators and controllers (e.g., Sealed Secrets controller, external-secrets-operator) that routinely access secrets and service accounts via the Kubernetes API
Download portable Sigma rule (.yml)

Other platforms for T1552.007

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List All Kubernetes Secrets with kubectl

    Expected signal: Linux auditd EXECVE for kubectl with 'get secrets' args. Kubernetes API audit log: GET/LIST verb on 'secrets' resource by the calling user. Network connection to Kubernetes API server (typically port 6443).

  2. Test 2Access Docker Container Environment Variables

    Expected signal: Linux auditd EXECVE for docker with 'ps' and 'inspect' commands. Docker daemon interaction via /var/run/docker.sock. Process chain: bash -> docker ps -> xargs -> docker inspect.

  3. Test 3Read Kubernetes Service Account Token

    Expected signal: Linux auditd OPEN syscall for /var/run/secrets/kubernetes.io/serviceaccount/token. EXECVE for cat command. Token content is a JWT that can be decoded to reveal the service account identity.

  4. Test 4Access Exposed Docker API

    Expected signal: Linux auditd EXECVE for curl with localhost:2375 (Docker TCP port). Network connection to 127.0.0.1:2375. If Docker TCP API is exposed on 0.0.0.0:2375, this represents a critical misconfiguration.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1552.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.005Cloud Instance Metadata APIT1610Deploy ContainerT1611Escape to HostT1078Valid AccountsT1133External Remote ServicesT1530Data from Cloud Storage

Same Tactic: Credential Access

Popular Detections