Detect Container API in Microsoft Sentinel
Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.007 Container API
- Canonical reference
- https://attack.mitre.org/techniques/T1552/007/
KQL Detection Query
// Detect container API credential access
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: kubectl commands accessing secrets
| where FileName in~ ("kubectl", "kubectl.exe")
| where ProcessCommandLine has_any (
"get secrets", "get secret", "describe secret", "describe secrets",
"get sa ", "get serviceaccount", "get configmap",
"get pods -o", "logs", "exec"
)
| extend IsSecretAccess = ProcessCommandLine has_any ("secret", "serviceaccount", "sa")
| extend Pattern = "Kubectl_CredAccess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, IsSecretAccess, Pattern
| union (
// Pattern 2: Docker API access for credentials
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("docker", "docker.exe")
| where ProcessCommandLine has_any (
"inspect", "logs", "env", "exec",
"cp ", "volume", "/var/run/docker.sock"
)
| extend Pattern = "Docker_CredAccess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Pattern
)
| union (
// Pattern 3: Direct docker.sock access from processes
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "docker.sock" or FileName =~ "docker.sock"
| where InitiatingProcessFileName !in~ ("dockerd", "containerd", "docker-proxy", "docker")
| extend Pattern = "DockerSock_UnexpectedAccess"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
InitiatingProcessFileName, Pattern
)
| sort by Timestamp descDetects container API credential access via three patterns: kubectl commands retrieving Kubernetes secrets, service accounts, or pod logs; Docker commands accessing container environment variables, inspection data, or logs; and unexpected process access to the Docker daemon socket (/var/run/docker.sock). Covers both legitimate tool abuse and container escape scenarios.
Data Sources
Required Tables
False Positives & Tuning
- DevOps engineers and platform teams legitimately accessing Kubernetes secrets for debugging and application management
- CI/CD pipeline service accounts that need to read deployment secrets (Helm, ArgoCD, Flux) during application deployment
- Monitoring tools (Prometheus, Grafana agents) that need access to service account tokens for cluster monitoring
- Container security scanning tools (Trivy, Falco, Snyk) that inspect containers for vulnerabilities
- Kubernetes operators and controllers that legitimately manage secrets as part of their controller pattern
Other platforms for T1552.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List All Kubernetes Secrets with kubectl
Expected signal: Linux auditd EXECVE for kubectl with 'get secrets' args. Kubernetes API audit log: GET/LIST verb on 'secrets' resource by the calling user. Network connection to Kubernetes API server (typically port 6443).
- Test 2Access Docker Container Environment Variables
Expected signal: Linux auditd EXECVE for docker with 'ps' and 'inspect' commands. Docker daemon interaction via /var/run/docker.sock. Process chain: bash -> docker ps -> xargs -> docker inspect.
- Test 3Read Kubernetes Service Account Token
Expected signal: Linux auditd OPEN syscall for /var/run/secrets/kubernetes.io/serviceaccount/token. EXECVE for cat command. Token content is a JWT that can be decoded to reveal the service account identity.
- Test 4Access Exposed Docker API
Expected signal: Linux auditd EXECVE for curl with localhost:2375 (Docker TCP port). Network connection to 127.0.0.1:2375. If Docker TCP API is exposed on 0.0.0.0:2375, this represents a critical misconfiguration.
References (8)
- https://attack.mitre.org/techniques/T1552/007/
- https://docs.docker.com/engine/api/
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://github.com/inguardians/peirates
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
- https://falco.org/docs/
Unlock Pro Content
Get the full detection package for T1552.007 including response playbook, investigation guide, and atomic red team tests.