Which SIEM platforms have a T1552.007 detection rule?

df00tech provides T1552.007 (Container API) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Container API (T1552.007)?

Detecting Container API requires the following data sources: Process: Process Creation, Command: Command Execution, File: File Access.

What severity and confidence is the T1552.007 detection?

The T1552.007 detection is rated high severity with medium confidence.

What are common false positives for T1552.007?

Common false positives for T1552.007 include: DevOps engineers and platform teams legitimately accessing Kubernetes secrets for debugging and application management; CI/CD pipeline service accounts that need to read deployment secrets (Helm, ArgoCD, Flux) during application deployment; Monitoring tools (Prometheus, Grafana agents) that need access to service account tokens for cluster monitoring.

T1552.007 IBM QRadar · QRadar

Detect Container API in IBM QRadar

Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials.

MITRE ATT&CK

Tactic: Credential Access
Technique: T1552 Unsecured Credentials
Sub-technique: T1552.007 Container API
Canonical reference: https://attack.mitre.org/techniques/T1552/007/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  hostname AS Hostname,
  CASE
    WHEN "Command" ILIKE '%kubectl%' AND ("Command" ILIKE '%secret%' OR "Command" ILIKE '%serviceaccount%' OR "Command" ILIKE '%configmap%') THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%docker%' AND ("Command" ILIKE '%inspect%' OR "Command" ILIKE '%logs%' OR "Command" ILIKE '%exec%' OR "Command" ILIKE '%env%') THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%docker.sock%' THEN 1
    ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Linux OS', 'Universal DSM', 'Kubernetes Audit Log')
  AND (
    (
      "Command" ILIKE '%kubectl%' AND
      (
        "Command" ILIKE '%get secret%' OR
        "Command" ILIKE '%describe secret%' OR
        "Command" ILIKE '%get sa %' OR
        "Command" ILIKE '%get serviceaccount%' OR
        "Command" ILIKE '%get configmap%' OR
        "Command" ILIKE '% logs %' OR
        "Command" ILIKE '% exec %'
      )
    )
    OR (
      "Command" ILIKE '%docker%' AND
      (
        "Command" ILIKE '%inspect%' OR
        "Command" ILIKE '%logs%' OR
        "Command" ILIKE '%exec%' OR
        "Command" ILIKE '% env%'
      ) AND
      (
        "Command" ILIKE '%pass%' OR
        "Command" ILIKE '%secret%' OR
        "Command" ILIKE '%token%' OR
        "Command" ILIKE '%key%' OR
        "Command" ILIKE '%credential%'
      )
    )
    OR "Command" ILIKE '%/var/run/docker.sock%'
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 1000

high severity medium confidence

AQL query detecting container API credential access via three patterns: kubectl commands retrieving secrets/service accounts/configmaps, Docker CLI commands extracting environment variables or inspecting containers for credentials, and unexpected processes accessing the Docker Unix socket. Risk scoring combines all three indicators.

Data Sources

IBM QRadar SIEM with Linux OS log sourceKubernetes Audit Log DSMUniversal DSM for auditd EXECVE events

Required Tables

events

False Positives & Tuning

DevSecOps pipelines with automated credential rotation jobs that legitimately read Kubernetes secrets for injection into deployment manifests
Monitoring agents such as Datadog, New Relic, or Prometheus node-exporters that access Docker socket for container metrics collection
Platform engineering teams running kubectl commands to audit RBAC policies or troubleshoot pod-level service account permissions

Download portable Sigma rule (.yml)

Other platforms for T1552.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1List All Kubernetes Secrets with kubectl
Expected signal: Linux auditd EXECVE for kubectl with 'get secrets' args. Kubernetes API audit log: GET/LIST verb on 'secrets' resource by the calling user. Network connection to Kubernetes API server (typically port 6443).
Test 2Access Docker Container Environment Variables
Expected signal: Linux auditd EXECVE for docker with 'ps' and 'inspect' commands. Docker daemon interaction via /var/run/docker.sock. Process chain: bash -> docker ps -> xargs -> docker inspect.
Test 3Read Kubernetes Service Account Token
Expected signal: Linux auditd OPEN syscall for /var/run/secrets/kubernetes.io/serviceaccount/token. EXECVE for cat command. Token content is a JWT that can be decoded to reveal the service account identity.
Test 4Access Exposed Docker API
Expected signal: Linux auditd EXECVE for curl with localhost:2375 (Docker TCP port). Network connection to 127.0.0.1:2375. If Docker TCP API is exposed on 0.0.0.0:2375, this represents a critical misconfiguration.

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1552.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Container API in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1552.007

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1552.007

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox