Retrieval of kubelet credentials

Cortex XDR Analytics Alert Reference by Alert name

Product: Cortex XDR
Last date published: 2026-02-02
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	Kubernetes - AGENT
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Informational

Description

A process retrieved kubelet credentials.

Attacker's Goals

Impersonate the node agent to gain control over the cluster.

Investigative actions

Look for additional suspicious activities.
Verify if the exposed credentials were used to access the API server.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

Variations

Retrieval of kubelet credentials by an unusual process

Synopsis

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Low

Description

A process retrieved kubelet credentials.

Attacker's Goals

Impersonate the node agent to gain control over the cluster.

Investigative actions

Look for additional suspicious activities.
Verify if the exposed credentials were used to access the API server.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.