security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules/linux/discovery_potential_kubeletctl_execution.toml
T
Samirbous 83406d8ce1 [New/Tuning] Direct Kubelet API Access rules (#5996) 
* [New/Tuning] Direct Kubelet API Access rules

- tuned existing rule for D4C to bump-up severity to high (low FP and very susp behavior) + added 10255 port and wss url.
- duplicated same rule logic for auditd/endpoint compatibility for both 10250 port in args and kubeletctl exec.
- added a new one using network event vs process argument for more resilience.

* ++

* Update discovery_potential_direct_kubelet_access_via_process_args.toml

* Update and rename discovery_potential_direct_kubelet_access_via_process_args.toml to lateral_movement_direct_kubelet_access_via_process_args.toml

* Update rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/discovery_potential_kubeletctl_execution.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update discovery_potential_kubeletctl_execution.toml

* Update lateral_movement_kubelet_api_connection_attempt_internal_ip.toml

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestion from @Aegrah

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2026-05-04 22:18:23 +01:00

121 lines
4.3 KiB
TOML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2026/04/28"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2026/04/28"
[rule]
author = ["Elastic"]
description = """
Detects the execution of kubeletctl on Linux hosts. Kubeletctl is a command-line tool that can be used to interact with
the Kubelet API directly, simplifying access to Kubelet endpoints that can be used for discovery and, in some cases,
lateral movement within Kubernetes environments.
"""
false_positives = [
"""
Administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate
Kubelet API connectivity or enumerate pods. Confirm the user/session and change window before escalating.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Kubeletctl Execution"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential Kubeletctl Execution
This alert flags kubeletctl execution on a Linux host. Kubeletctl provides direct access to the nodes Kubelet API and can
be used to enumerate pods and nodes and attempt actions such as exec/attach/portForward. A common attacker pattern is
running `kubeletctl scan` to find reachable Kubelet endpoints, then using `pods` or `exec/attach` for follow-on access.
### Possible investigation steps
- Review the full command line to identify the intended operation (scan/pods/exec/attach/portForward) and the target
Kubelet endpoint (node IP/hostname and port via `-s`/`--server`).
- Correlate with host and container telemetry for connections to Kubelet ports (commonly 10250/10255) and look for
scanning patterns across multiple nodes.
- Check whether Kubernetes credentials were accessed or used (service account tokens, kubeconfigs, client certs) and
correlate with Kubernetes audit logs for follow-on actions.
### False positive analysis
- Approved operational debugging or incident response activity that uses kubeletctl for diagnostics.
### Response and remediation
- Restrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization.
- Rotate/revoke any exposed Kubernetes credentials and investigate for follow-on discovery or execution attempts.
"""
references = [
"https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
"https://github.com/cyberark/kubeletctl",
]
risk_score = 47
rule_id = "f7a131f8-44b7-4957-99a4-e6c54d93d816"
severity = "medium"
tags = [
"Domain: Endpoint",
"Domain: Container",
"Domain: Kubernetes",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
(
process.name == "kubeletctl" or
(process.args in ("run", "exec", "scan", "pods", "runningpods", "attach", "portForward", "cri", "pid2pod") and process.args:("*:10250*", "*:10255*"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink