T1552.007 Splunk · SPL

Detect Container API in Splunk

Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.007 Container API
Canonical reference
https://attack.mitre.org/techniques/T1552/007/

SPL Detection Query

Splunk (SPL)
spl 
index=linux_audit OR index=kubernetes (sourcetype="linux_audit" OR sourcetype="kube:audit")
(
  sourcetype="linux_audit" type=EXECVE
  (a0="kubectl" OR a0="docker")
| eval CommandLine=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6), " ")
| eval IsKubectlSecret=if(match(CommandLine, "kubectl.*(get|describe|edit).*(secret|serviceaccount|sa|configmap)"), 1, 0)
| eval IsDockerCred=if(match(CommandLine, "docker.*(inspect|logs|exec|env)") AND match(CommandLine, "(pass|secret|token|credential|key)"), 1, 0)
| eval IsDockerSock=if(match(CommandLine, "/var/run/docker\.sock"), 1, 0)
| eval RiskScore=IsKubectlSecret + IsDockerCred + IsDockerSock
| where RiskScore > 0
| table _time, host, auid, CommandLine, IsKubectlSecret, IsDockerCred, IsDockerSock, RiskScore
)
OR
(
  sourcetype="kube:audit"
  (verb IN ("get", "list", "watch") AND resource IN ("secrets", "serviceaccounts", "configmaps"))
  NOT 'user.username' IN ("system:serviceaccount:kube-system:*", "system:node:*")
| eval Accessor='user.username'
| eval Resource=resource
| eval Namespace='objectRef.namespace'
| eval SecretName='objectRef.name'
| eval AlertType="K8s_SecretAccess"
| table _time, Accessor, Resource, Namespace, SecretName, 'sourceIPs{}'  , AlertType
)
| sort - _time
high severity medium confidence

Detects container credential access using Linux auditd (kubectl/docker EXECVE events with credential-related subcommands and risk scoring) and Kubernetes API audit logs (verb=get/list/watch on secrets/serviceaccounts/configmaps from non-system accounts). The K8s audit log source provides the richest container credential access telemetry.

Data Sources

Process: Process CreationKubernetes API Audit Logslinux_audit EXECVE events

Required Sourcetypes

linux_auditkube:audit

False Positives & Tuning

  • DevOps engineers accessing Kubernetes secrets for debugging
  • CI/CD pipeline service accounts reading deployment secrets
  • Monitoring tools accessing service account tokens
  • Container security scanning tools inspecting containers
  • Kubernetes operators managing secrets via controller pattern
Download portable Sigma rule (.yml)

Other platforms for T1552.007

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List All Kubernetes Secrets with kubectl

    Expected signal: Linux auditd EXECVE for kubectl with 'get secrets' args. Kubernetes API audit log: GET/LIST verb on 'secrets' resource by the calling user. Network connection to Kubernetes API server (typically port 6443).

  2. Test 2Access Docker Container Environment Variables

    Expected signal: Linux auditd EXECVE for docker with 'ps' and 'inspect' commands. Docker daemon interaction via /var/run/docker.sock. Process chain: bash -> docker ps -> xargs -> docker inspect.

  3. Test 3Read Kubernetes Service Account Token

    Expected signal: Linux auditd OPEN syscall for /var/run/secrets/kubernetes.io/serviceaccount/token. EXECVE for cat command. Token content is a JWT that can be decoded to reveal the service account identity.

  4. Test 4Access Exposed Docker API

    Expected signal: Linux auditd EXECVE for curl with localhost:2375 (Docker TCP port). Network connection to 127.0.0.1:2375. If Docker TCP API is exposed on 0.0.0.0:2375, this represents a critical misconfiguration.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1552.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.005Cloud Instance Metadata APIT1610Deploy ContainerT1611Escape to HostT1078Valid AccountsT1133External Remote ServicesT1530Data from Cloud Storage

Same Tactic: Credential Access

Popular Detections