Kubelet Pod Discovery Detected via Defend for Containers

 1[metadata]
 2creation_date = "2026/02/06"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
 6min_stack_version = "9.3.0"
 7updated_date = "2026/02/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the use of built-in utilities to discover running pods on a Kubernetes cluster. The utilities used
13are du, nice, find, locate, and ls. These utilities are commonly used to discover running pods on a Kubernetes cluster.
14The "/var/lib/kubelet/pods" directory is the default location for Kubelet pod information.
15"""
16from = "now-6m"
17index = ["logs-cloud_defend.file*", "logs-cloud_defend.process*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "Kubelet Pod Discovery Detected via Defend for Containers"
22note = """## Triage and analysis
23
24> **Disclaimer**:
25> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
26
27### Investigating Kubelet Pod Discovery Detected via Defend for Containers
28
29This rule detects interactive use of common Linux utilities (ls, find, du, locate, nice) repeatedly targeting the Kubelet pods directory, including direct access to `/var/lib/kubelet/pods/*`. This matters because enumerating that path reveals pod IDs, volumes, and runtime artifacts that can accelerate container and cluster discovery. A typical pattern is an attacker in a compromised container running `ls /var/lib/kubelet/pods/` followed by `find /var/lib/kubelet/pods -maxdepth 2` to map workloads and hunt for mounted secrets.
30
31### Possible investigation steps
32
33- Identify the originating workload (pod/namespace/node) and how the interactive session was obtained (e.g., kubectl exec, SSH to node, or container runtime attach) to determine whether access was expected.  
34- Review the container’s security context and mounts to confirm whether `/var/lib/kubelet` was exposed via hostPath/privileged settings and assess whether this indicates a node breakout risk.  
35- Correlate the discovery activity with nearby events for follow-on actions such as reading service account tokens, kubeconfig files, or secrets/volumes under pod directories that would indicate credential harvesting.  
36- Validate the actor by mapping the involved user/service account to recent Kubernetes API audit activity and RBAC permissions to determine whether the behavior aligns with normal administration.  
37- Check for persistence or lateral movement attempts from the same container or node (new processes, outbound connections, package/tool downloads, or cron/systemd changes) to scope impact beyond discovery.
38
39### False positive analysis
40
41- An interactive troubleshooting session by a cluster administrator inside a privileged/host-mounted container uses `ls`, `find`, or `du` against `/var/lib/kubelet/pods/*` multiple times to confirm pod volume mounts, disk usage, or pod UID-to-workload mapping during an incident or maintenance window.  
42- An engineer running an interactive shell on the node or in a hostPID/hostPath-enabled container repeatedly inspects `/var/lib/kubelet/pods/*` with built-in utilities to validate kubelet behavior (e.g., orphaned pod directories, cleanup after pod churn, or verifying that expected pods are present) as part of routine operational checks.
43
44### Response and remediation
45
46- Contain by terminating the interactive session and isolating the originating pod (scale to zero or delete) and, if the container had hostPath access to `/var/lib/kubelet` or was privileged/hostPID, cordon and drain the node to stop further inspection of `/var/lib/kubelet/pods/*`.  
47- Scope and eradicate by reviewing recent commands and file reads under `/var/lib/kubelet/pods/` for access to mounted secrets, service account tokens, kubeconfig files, or pod volume contents, and remove any dropped tools/scripts or unauthorized cron/systemd changes on the affected node.  
48- Recover by rotating potentially exposed Kubernetes credentials (service account tokens, kubeconfigs, cloud/IAM keys) used by the affected workload and redeploying the application from a known-good image after validating no unexpected containers, DaemonSets, or mounts remain.  
49- Escalate to incident response immediately if you confirm reads of token/secret material within pod directories, discovery occurs from a privileged or host-mounted container, or you observe follow-on actions such as outbound connections, new binaries, or attempts to exec into additional pods/namespaces.  
50- Harden by eliminating unnecessary hostPath mounts to `/var/lib/kubelet` (and other node paths), enforcing non-root and read-only root filesystems, disabling interactive shells in production where feasible, and applying admission controls to block privileged/hostPID containers and restrict debug tooling to approved break-glass workflows."""
51references = [
52    "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api",
53    "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
54    "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/"
55]
56risk_score = 21
57rule_id = "f596175f-b8fd-43ac-b9e9-ea2a96bb55d8"
58severity = "low"
59tags = [
60    "Data Source: Elastic Defend for Containers",
61    "Domain: Container",
62    "OS: Linux",
63    "Use Case: Threat Detection",
64    "Tactic: Discovery",
65    "Resources: Investigation Guide",
66]
67timestamp_override = "event.ingested"
68type = "eql"
69query = '''
70sequence by container.id, user.id with maxspan=5s
71  [any where host.os.type == "linux" and event.category in ("file", "process") and process.interactive == true and container.id like "*" and (
72    (event.category == "file" and event.type == "change" and event.action == "open" and file.path like "/var/lib/kubelet/pods/*") or
73    (event.category == "process" and event.type == "start" and event.action == "exec" and (
74      (process.name in ("du", "nice", "find", "locate", "ls")) or
75      (process.args in (
76        "du", "/bin/du", "/usr/bin/du", "/usr/local/bin/du",
77        "nice", "/bin/nice", "/usr/bin/nice", "/usr/local/bin/nice",
78        "find", "/bin/find", "/usr/bin/find", "/usr/local/bin/find",
79        "locate", "/bin/locate", "/usr/bin/locate", "/usr/local/bin/locate",
80        "ls", "/bin/ls", "/usr/bin/ls", "/usr/local/bin/ls"
81      ))
82    ) and process.args like "*/var/lib/kubelet/pods/*")
83  )] with runs=5
84'''
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1613"
91name = "Container and Resource Discovery"
92reference = "https://attack.mitre.org/techniques/T1613/"
93
94[rule.threat.tactic]
95id = "TA0007"
96name = "Discovery"
97reference = "https://attack.mitre.org/tactics/TA0007/"