Triggers
- Credential was observed performing a set of API requests to retrieve a broad range of container configuration details which may further their attack through the leak of credentials or other data about the environment.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities.
- A security or IT service may intentionally be enumerating these APIs for monitoring or configuration management reasons.
Business Impact
- Stolen credentials allow an adversary to leverage authorized services and APIs to extend their attack which can be difficult for traditional security solutions to detect.
- Abused credentials are typically associated with impactful attacks, and if unmitigated may increase the likelihood that an adversary may inflict a loss of data or service availability.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.