Detect Container API in CrowdStrike LogScale
Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.007 Container API
- Canonical reference
- https://attack.mitre.org/techniques/T1552/007/
LogScale Detection Query
// T1552.007 — Container API Credential Access
// Pattern 1 & 2: kubectl and docker CLI credential access
(
#event_simpleName=ProcessRollup2
| ImageFileName=/(\/|\\)(kubectl|docker)(\.exe)?$/i
| CommandLine=/(kubectl.*(get|describe)\s+(secret|secrets|sa|serviceaccount|serviceaccounts|configmap)|kubectl\s+exec|kubectl\s+logs|docker.*(inspect|logs|exec|env|cp))/i
| IsKubectlSecret := if(CommandLine=~/(kubectl.*(get|describe).*(secret|serviceaccount|sa|configmap))/i, "true", "false")
| IsDockerCred := if(CommandLine=~/(docker.*(inspect|logs|exec|env).*(pass|secret|token|key|credential))/i, "true", "false")
| IsDockerSock := if(CommandLine=~/\/var\/run\/docker\.sock/i, "true", "false")
| RiskScore := sum(values=[if(IsKubectlSecret="true", 1, 0), if(IsDockerCred="true", 1, 0), if(IsDockerSock="true", 1, 0)])
| where RiskScore > 0
| select(@timestamp, aid, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsKubectlSecret, IsDockerCred, IsDockerSock, RiskScore)
)
| union
(
// Pattern 3: Unexpected docker.sock access via file events
#event_simpleName=GenericFileWrite OR #event_simpleName=PeFileWrite
| TargetFileName=/\/var\/run\/docker\.sock/i
| not ImageFileName=/(dockerd|containerd|docker-proxy|docker|cri-dockerd)$/i
| IsDockerSock := "true"
| RiskScore := 1
| select(@timestamp, aid, ComputerName, UserName, ImageFileName, TargetFileName, IsDockerSock, RiskScore)
)
| sort(field=@timestamp, order=desc)
| groupBy([ComputerName, UserName, CommandLine], function=[count(as=EventCount), max(RiskScore, as=MaxRisk), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| sort(field=MaxRisk, order=desc)CrowdStrike LogScale query detecting T1552.007 using Falcon telemetry across three patterns: kubectl and Docker CLI commands that enumerate secrets, service accounts, configmaps, or extract environment variables (ProcessRollup2 events); direct access to the Docker Unix socket by non-daemon processes (file write events); and aggregated groupBy to surface hosts with repeated credential access attempts. Risk scoring and grouping reduce alert fatigue.
Data Sources
Required Tables
False Positives & Tuning
- Platform SREs running kubectl commands to rotate or inspect secrets during incident response or scheduled maintenance windows, especially in multi-tenant clusters
- Container image build pipelines using docker inspect to extract metadata or layer digests as part of image provenance and SBOM generation workflows
- Falco or Sysdig agents deployed as DaemonSets that access docker.sock for system call tracing and container inventory, appearing as unexpected socket consumers to the EDR
Other platforms for T1552.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List All Kubernetes Secrets with kubectl
Expected signal: Linux auditd EXECVE for kubectl with 'get secrets' args. Kubernetes API audit log: GET/LIST verb on 'secrets' resource by the calling user. Network connection to Kubernetes API server (typically port 6443).
- Test 2Access Docker Container Environment Variables
Expected signal: Linux auditd EXECVE for docker with 'ps' and 'inspect' commands. Docker daemon interaction via /var/run/docker.sock. Process chain: bash -> docker ps -> xargs -> docker inspect.
- Test 3Read Kubernetes Service Account Token
Expected signal: Linux auditd OPEN syscall for /var/run/secrets/kubernetes.io/serviceaccount/token. EXECVE for cat command. Token content is a JWT that can be decoded to reveal the service account identity.
- Test 4Access Exposed Docker API
Expected signal: Linux auditd EXECVE for curl with localhost:2375 (Docker TCP port). Network connection to 127.0.0.1:2375. If Docker TCP API is exposed on 0.0.0.0:2375, this represents a critical misconfiguration.
References (8)
- https://attack.mitre.org/techniques/T1552/007/
- https://docs.docker.com/engine/api/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://github.com/inguardians/peirates
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
- https://falco.org/docs/
Unlock Pro Content
Get the full detection package for T1552.007 including response playbook, investigation guide, and atomic red team tests.