Ruben Groenewoud
7c03840737
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword * [New Rules] Misc. D4C Rules related to (un)authenticated API Access * Apply suggestion from @Aegrah * [New Rule] Kubelet Certificate File Access Detected via Defend for Containers * [New Rule] Kubeletctl Execution Detected via Defend for Containers * [New Rule] Potential Kubeletctl Execution Detected via Defend for Containers * [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt Detected * [New Rule] Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected * [New Rule] Kubernetes Anonymous User Create/Update/Patch Pods Request * [New Rule] Potential Cluster Enumeration via jq Detected via Defend for Containers * Apply suggestion from @Aegrah * Update execution_kubeletctl_execution.toml
85 lines
2.8 KiB
TOML
85 lines
2.8 KiB
TOML
[metadata]
|
|
creation_date = "2026/02/02"
|
|
integration = ["cloud_defend"]
|
|
maturity = "production"
|
|
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
|
|
min_stack_version = "9.3.0"
|
|
updated_date = "2026/02/02"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
This rule detects the execution of kubeletctl inside a container. Kubeletctl is a command-line tool that can be used to
|
|
interact with the Kubelet API directly. It allows easy access to this API, making the often undocumented Kubelet API
|
|
more accessible. It is often used to enumerate the Kubelet API or other resources inside the container, and may indicate
|
|
an attempt to move laterally within the pod.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
There is a potential for false positives when the command line arguments looked for in this rule are used for legitimate purposes,
|
|
such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine
|
|
if they are indicative of malicious activity or part of legitimate container activity.
|
|
""",
|
|
]
|
|
from = "now-6m"
|
|
index = ["logs-cloud_defend.process*"]
|
|
interval = "5m"
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Potential Kubeletctl Execution Detected via Defend for Containers"
|
|
references = [
|
|
"https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
|
|
"https://github.com/cyberark/kubeletctl",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "2572f7e0-7647-4c68-a42b-d3b1973deaae"
|
|
severity = "low"
|
|
tags = [
|
|
"Data Source: Elastic Defend for Containers",
|
|
"Domain: Container",
|
|
"OS: Linux",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Tactic: Discovery",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
query = '''
|
|
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
|
|
(process.name == "kubeletctl" or process.args like "*kubeletctl*") or
|
|
(process.args in ("-s", "--server") and process.args in ("run", "portForward", "scan", "attach", "exec", "pods", "runningpods", "cri", "pid2pod"))
|
|
) and
|
|
process.interactive == true and container.id like "?*"
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.004"
|
|
name = "Unix Shell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/004/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1613"
|
|
name = "Container and Resource Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1613/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0007"
|
|
name = "Discovery"
|
|
reference = "https://attack.mitre.org/tactics/TA0007/"
|