Skip to content

Hide Navigation Hide TOC

Kubernetes Potential Enumeration Activity (597a7e84-187d-458b-9e4f-2f5a0e676711)

Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.

Cluster A Galaxy A Cluster B Galaxy B Level
Kubernetes Potential Enumeration Activity (597a7e84-187d-458b-9e4f-2f5a0e676711) Sigma-Rules Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern 1
Kubernetes Potential Enumeration Activity (597a7e84-187d-458b-9e4f-2f5a0e676711) Sigma-Rules Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336) Attack Pattern 1