Application credentials in configuration files
Info
ID: MS-TA9027
Tactic: Credential Access, Lateral Movement
MITRE technique: T1552
Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Microsoft Defender for Cloud. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.
Using those credentials attackers may gain access to additional resources inside and outside the cluster.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9026 | Avoid using plain text credentials | Avoid using plain text credentials in Kubernetes configuration |
| MS-M9022 | Use Managed Secret Store | Store secrets securely in managed secret stores |