Kubernetes Potential Enumeration Activity

Rule Info

Name
Kubernetes Potential Enumeration Activity
Author
uniqu3-us3r
Description
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
Reference
https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
Date
2026-04-28 00:00:00
Modified
None
Id
597a7e84-187d-458b-9e4f-2f5a0e676711
Tags
attack.execution attack.discovery attack.t1609 attack.t1613
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=597a7e84-187d-458b-9e4f-2f5a0e676711

Rule History

Author
Title
Date
Commit
uniqueuser
Merge PR #5916 from @uniqu3-us3r - Add `Kubernetes Potential Enumeration Activity`
2026-04-27
f0c4235fc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022