title: Container API (T1552.007)
id: df00tech-t1552-007
status: experimental
description: "Adversaries may gather credentials via APIs within a container environment. Docker API and Kubernetes API allow remote management of containers and cluster components. An adversary with code execution on a container or with access to an exposed Docker daemon socket (/var/run/docker.sock) can collect container logs containing credentials, environment variables with secrets, and mounted secret volumes. Via Kubernetes API with a pod's service account token, adversaries can retrieve Kubernetes Secrets containing database passwords, API keys, and credentials for cloud services. Peirates is an offensive Kubernetes tool specifically designed to exploit these APIs. Unit 42 documented unsecured Docker daemons exposing credentials."
references:
  - https://attack.mitre.org/techniques/T1552/007/
  - https://df00tech.com/detections/T1552.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - DevOps engineers and platform teams legitimately accessing Kubernetes secrets for debugging and application management
  - "CI/CD pipeline service accounts that need to read deployment secrets (Helm, ArgoCD, Flux) during application deployment"
  - "Monitoring tools (Prometheus, Grafana agents) that need access to service account tokens for cluster monitoring"
  - "Container security scanning tools (Trivy, Falco, Snyk) that inspect containers for vulnerabilities"
  - Kubernetes operators and controllers that legitimately manage secrets as part of their controller pattern
level: high