From 83406d8ce10ce477de61e381a9bbe727efe76fd7 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 4 May 2026 22:18:23 +0100
Subject: [PATCH] [New/Tuning] Direct Kubelet API Access rules (#5996)

* [New/Tuning] Direct Kubelet API Access rules

- tuned existing rule for D4C to bump-up severity to high (low FP and very susp behavior) + added 10255 port and wss url.
- duplicated same rule logic for auditd/endpoint compatibility for both 10250 port in args and kubeletctl exec.
- added a new one using network event vs process argument for more resilience.

* ++

* Update discovery_potential_direct_kubelet_access_via_process_args.toml

* Update and rename discovery_potential_direct_kubelet_access_via_process_args.toml to lateral_movement_direct_kubelet_access_via_process_args.toml

* Update rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/discovery_potential_kubeletctl_execution.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update discovery_potential_kubeletctl_execution.toml

* Update lateral_movement_kubelet_api_connection_attempt_internal_ip.toml

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 .../execution_kubeletctl_execution.toml       |   6 +-
 ...irect_kubelet_access_via_process_args.toml |   8 +-
 ...covery_potential_kubeletctl_execution.toml | 120 +++++++++++++++
 ...irect_kubelet_access_via_process_args.toml | 136 ++++++++++++++++
 ...et_api_connection_attempt_internal_ip.toml | 145 ++++++++++++++++++
 5 files changed, 408 insertions(+), 7 deletions(-)
 create mode 100644 rules/linux/discovery_potential_kubeletctl_execution.toml
 create mode 100644 rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml
 create mode 100644 rules/linux/lateral_movement_kubelet_api_connection_attempt_internal_ip.toml

diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml
index 1b2800b05..3acc6d95e 100644
--- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml
+++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml
@@ -4,7 +4,7 @@ integration = ["cloud_defend"]
 maturity = "production"
 min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
 min_stack_version = "9.3.0"
-updated_date = "2026/03/24"
+updated_date = "2026/04/28"
 
 [rule]
 author = ["Elastic"]
@@ -62,9 +62,9 @@ references = [
     "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
     "https://github.com/cyberark/kubeletctl",
 ]
-risk_score = 21
+risk_score = 73
 rule_id = "2572f7e0-7647-4c68-a42b-d3b1973deaae"
-severity = "low"
+severity = "high"
 tags = [
     "Data Source: Elastic Defend for Containers",
     "Domain: Container",
diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml
index 579b60c02..188bd0805 100644
--- a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml
+++ b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml
@@ -4,7 +4,7 @@ integration = ["cloud_defend"]
 maturity = "production"
 min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
 min_stack_version = "9.3.0"
-updated_date = "2026/03/24"
+updated_date = "2026/04/28"
 
 [rule]
 author = ["Elastic"]
@@ -56,9 +56,9 @@ references = [
     "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
     "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/"
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "b4bd186b-69c6-45ad-8bef-5c35bbadeaef"
-severity = "medium"
+severity = "high"
 tags = [
     "Data Source: Elastic Defend for Containers",
     "Domain: Container",
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
-process.args like "http*:10250*" and process.interactive == true and container.id like "?*"
+process.args like ("http*:10250*", "http*:10255*", "wss:*:10250*", "wss:*:10255*") and container.id like "?*"
 '''
 
 [[rule.threat]]
diff --git a/rules/linux/discovery_potential_kubeletctl_execution.toml b/rules/linux/discovery_potential_kubeletctl_execution.toml
new file mode 100644
index 000000000..de8966f36
--- /dev/null
+++ b/rules/linux/discovery_potential_kubeletctl_execution.toml
@@ -0,0 +1,120 @@
+[metadata]
+creation_date = "2026/04/28"
+integration = ["endpoint", "auditd_manager"]
+maturity = "production"
+updated_date = "2026/04/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the execution of kubeletctl on Linux hosts. Kubeletctl is a command-line tool that can be used to interact with
+the Kubelet API directly, simplifying access to Kubelet endpoints that can be used for discovery and, in some cases,
+lateral movement within Kubernetes environments.
+"""
+false_positives = [
+    """
+    Administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate
+    Kubelet API connectivity or enumerate pods. Confirm the user/session and change window before escalating.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Kubeletctl Execution"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Kubeletctl Execution
+
+This alert flags kubeletctl execution on a Linux host. Kubeletctl provides direct access to the node’s Kubelet API and can
+be used to enumerate pods and nodes and attempt actions such as exec/attach/portForward. A common attacker pattern is
+running `kubeletctl scan` to find reachable Kubelet endpoints, then using `pods` or `exec/attach` for follow-on access.
+
+### Possible investigation steps
+
+- Review the full command line to identify the intended operation (scan/pods/exec/attach/portForward) and the target
+  Kubelet endpoint (node IP/hostname and port via `-s`/`--server`).
+- Correlate with host and container telemetry for connections to Kubelet ports (commonly 10250/10255) and look for
+  scanning patterns across multiple nodes.
+- Check whether Kubernetes credentials were accessed or used (service account tokens, kubeconfigs, client certs) and
+  correlate with Kubernetes audit logs for follow-on actions.
+
+### False positive analysis
+
+- Approved operational debugging or incident response activity that uses kubeletctl for diagnostics.
+
+### Response and remediation
+
+- Restrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization.
+- Rotate/revoke any exposed Kubernetes credentials and investigate for follow-on discovery or execution attempts.
+"""
+references = [
+    "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
+    "https://github.com/cyberark/kubeletctl",
+]
+risk_score = 47
+rule_id = "f7a131f8-44b7-4957-99a4-e6c54d93d816"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "Domain: Container",
+    "Domain: Kubernetes",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Discovery",
+    "Data Source: Elastic Defend",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and 
+(
+  process.name == "kubeletctl" or
+  (process.args in ("run", "exec", "scan", "pods", "runningpods", "attach", "portForward", "cri", "pid2pod") and process.args:("*:10250*", "*:10255*"))
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1613"
+name = "Container and Resource Discovery"
+reference = "https://attack.mitre.org/techniques/T1613/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat.technique]]
+id = "T1609"
+name = "Container Administration Command"
+reference = "https://attack.mitre.org/techniques/T1609/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+
+
diff --git a/rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml b/rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml
new file mode 100644
index 000000000..44767e447
--- /dev/null
+++ b/rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml
@@ -0,0 +1,136 @@
+[metadata]
+creation_date = "2026/04/28"
+integration = ["endpoint", "auditd_manager"]
+maturity = "production"
+updated_date = "2026/04/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain
+URLs targeting Kubelet ports (10250/10255). Adversaries may probe or access Kubelet endpoints to enumerate pods, fetch
+logs, or attempt remote execution, which can enable discovery and lateral movement in Kubernetes environments.
+"""
+false_positives = [
+    """
+    Cluster operators and node diagnostics may legitimately probe Kubelet endpoints (for example /pods or /metrics) during
+    troubleshooting. Validate the initiating user, session, and whether the target node/IP is expected for the host.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Direct Kubelet Access via Process Arguments"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Potential Direct Kubelet Access via Process Arguments
+
+This detection flags a process on a Linux host whose arguments include a URL targeting the Kubelet API ports 10250/10255.
+Attackers often use `curl`, `wget`, or scripting runtimes to access endpoints such as `/pods`, `/runningpods`,
+`/metrics`, `/exec`, or `/containerLogs`. Successful access can provide node and workload visibility, and in some cases
+enable actions that facilitate lateral movement within the cluster.
+
+### Possible investigation steps
+
+- Extract and reconstruct the full URL from `process.args` / `process.command_line`, including the hostname/IP, port, and
+  path, and determine whether the request intent was discovery or execution.
+- Identify the user and session that launched the process and whether it originated from an interactive shell, scheduled
+  task, or automation.
+- Correlate the timestamp with Kubernetes audit logs and node/Kubelet logs to confirm whether the request was
+  authenticated and whether it returned success.
+- If the destination is a node IP, check whether this host should be allowed to reach node Kubelet ports and whether
+  other nodes were contacted in a scanning pattern.
+
+### False positive analysis
+
+- SRE/operator troubleshooting sessions validating Kubelet reachability or TLS/auth behavior.
+- Approved health checks, debugging scripts, or node agents that query Kubelet endpoints.
+
+### Response and remediation
+
+- Restrict access to Kubelet ports 10250/10255 at the network layer; block pod-to-node or host-to-node traffic except for
+  approved agents.
+- Rotate any potentially exposed credentials (service account tokens, client certs, kubeconfigs) and assess for follow-on
+  activity such as `exec/attach` and secret reads.
+- Harden Kubelet configuration (disable anonymous auth, enforce webhook authn/authz) and review RBAC/admission controls.
+"""
+references = [
+    "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api",
+    "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
+    "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/",
+]
+risk_score = 73
+rule_id = "6aa52f86-18f1-4a5a-a0ac-e2b5db8af589"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "Domain: Container",
+    "Domain: Kubernetes",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Tactic: Lateral Movement",
+    "Data Source: Elastic Defend",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
+(
+  /* direct utility execution */
+  process.name like ("curl", "wget", "python*", "perl*", "php*", "node*", "java", "ruby*", "lua*", ".*") or
+  
+  process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
+) and
+process.args like ("http*:10250/*", "http*:10255/*", "wss:*:10250/*", "wss:*:10255/*")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1613"
+name = "Container and Resource Discovery"
+reference = "https://attack.mitre.org/techniques/T1613/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
diff --git a/rules/linux/lateral_movement_kubelet_api_connection_attempt_internal_ip.toml b/rules/linux/lateral_movement_kubelet_api_connection_attempt_internal_ip.toml
new file mode 100644
index 000000000..f0589ab32
--- /dev/null
+++ b/rules/linux/lateral_movement_kubelet_api_connection_attempt_internal_ip.toml
@@ -0,0 +1,145 @@
+[metadata]
+creation_date = "2026/04/28"
+integration = ["endpoint", "auditd_manager"]
+maturity = "production"
+updated_date = "2026/04/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects network connection attempts to the Kubernetes Kubelet API port (10250/10255) on internal IP ranges from Linux hosts.
+This rule focuses on common request and scripting utilities (curl, wget, python, node, etc.) and executions from
+world-writable or ephemeral paths (/tmp, /var/tmp, /dev/shm, /var/run), which are frequently abused during container and
+cluster lateral movement.
+"""
+false_positives = [
+    """
+    Legitimate node health checks, diagnostics, or in-cluster agents may access the Kubelet API on port 10250. Validate
+    the calling process, command line, and whether the destination is the local node or another node.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.network*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Kubelet API Connection Attempt to Internal IP"
+note = """## Triage and analysis
+
+### Investigating Kubelet API Connection Attempt to Internal IP
+
+This alert indicates a process on a Linux host attempted to connect to port 10250 (Kubelet API) on an internal or
+loopback IP address, including IPv4 private ranges and IPv6 localhost. Kubelet access is commonly abused to enumerate
+pods, retrieve logs, or execute commands on nodes when authentication or network controls are weak.
+
+### Possible investigation steps
+
+- Review the initiating process (`process.*`) and its executable path; prioritize processes running from `/tmp`,
+  `/var/tmp`, `/dev/shm`, or `/var/run`, and suspicious interpreters or downloaders.
+- Determine whether the destination IP is the local node, another node, or a management host, and whether connectivity to
+  10250 is expected for this workload/user.
+- Correlate with process argument telemetry for HTTP URLs, kubelet endpoints (e.g., `/pods`, `/runningpods`, `/exec`), and
+  subsequent Kubernetes API audit activity or credential access.
+
+### False positive analysis
+
+- Approved troubleshooting (SRE/cluster operator) sessions that validate Kubelet reachability on the node.
+- In-cluster agents that legitimately scrape or query the Kubelet (confirm vendor, image, and deployment).
+
+### Response and remediation
+
+- Restrict pod-to-node access to 10250 using network policies/security groups where possible.
+- Rotate and revoke any exposed Kubernetes credentials and investigate for follow-on cluster discovery or execution.
+"""
+references = [
+    "https://attack.mitre.org/techniques/T1021/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/",
+]
+risk_score = 47
+rule_id = "9f420cca-cb27-44db-a13d-c43c7b48e04a"
+setup = """## Setup
+
+### Auditd Manager: emitting network connection telemetry
+
+This rule is written against `event.category:network` events. Elastic Defend provides this natively. For Auditd Manager,
+you typically need to audit network-related syscalls (for example `connect`) and rely on the integration/pipeline to map
+those syscall events into ECS-like network events.
+
+If you are not seeing `event.category:network` for Auditd Manager data, add syscall audit rules for network connections.
+The example below is a starting point and may need to be adjusted for your environment and noise tolerance:
+
+```
+# 64-bit
+-a always,exit -F arch=b64 -S connect -S accept -S accept4 -S sendto -S recvfrom -k netconn
+
+# 32-bit (if applicable)
+-a always,exit -F arch=b32 -S connect -S accept -S accept4 -S sendto -S recvfrom -k netconn
+```
+
+After enabling, validate that events include `destination.ip`, `destination.port`, and a populated `process.*` context.
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "Domain: Container",
+    "Domain: Kubernetes",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Lateral Movement",
+    "Tactic: Discovery",
+    "Data Source: Elastic Defend",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+network where host.os.type == "linux" and event.type == "start" and event.category == "network" and network.direction == "egress" and 
+  event.action in ("connected-to", "connection_attempted") and (destination.port == 10250 or destination.port == 10255) and
+  cidrmatch(
+    destination.ip,
+    "127.0.0.0/8",
+    "10.0.0.0/8",
+    "172.16.0.0/12",
+    "192.168.0.0/16",
+    "169.254.0.0/16",
+    "100.64.0.0/10",
+    "::1/128",
+    "fc00::/7",
+    "fe80::/10"
+  ) and
+  (
+    process.name in ("curl", "wget", "nc", "ncat", "netcat", "socat", "openssl", "perl", "busybox") or 
+    process.name like ".*" or process.executable like "/*/.*" or 
+    process.name like ("python*", "ruby*", "node*", "java*", "lua*", "apache*", "php*", "nginx", "httpd*", "lighttpd", "caddy", "mongrel_rails", "gunicorn", 
+                       "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", 
+                       "daphne", "twistd", "yaws", "webfsd", "flask", "rails", "mongrel", "catalina.sh", "hiawatha", "lswsctrl") or
+    process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1613"
+name = "Container and Resource Discovery"
+reference = "https://attack.mitre.org/techniques/T1613/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"