Kubernetes Pod Exec with Curl or Wget to HTTPS

  1[metadata]
  2creation_date = "2026/04/23"
  3integration = ["kubernetes"]
  4maturity = "production"
  5updated_date = "2026/04/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects pod or attach exec API calls where the decoded request query implies **curl** or wget fetching an
 11**https** URL. Attackers with permission to exec into workloads often run one-liners to stage tooling, pull
 12scripts or binaries, or exfiltrate data over HTTPS—activity that should be rare compared to shells, debuggers, or
 13expected health checks. The rule decodes the audit requestURI, reconstructs a readable command string from
 14repeated command parameters, and applies **noise filters** for common cluster health and OIDC/JWKS endpoints so
 15benign automation is less likely to alert.
 16"""
 17from = "now-6m"
 18interval = "5m"
 19language = "esql"
 20license = "Elastic License v2"
 21name = "Kubernetes Pod Exec with Curl or Wget to HTTPS"
 22note = """## Triage and analysis
 23
 24### Investigating Kubernetes Pod Exec with Curl or Wget to HTTPS
 25
 26Kubernetes audit logs record exec (and similar attach) calls on requestURI, including URL-encoded
 27command segments. This rule URL-decodes the URI, extracts the query portion into a single string, and 
 28flags curl or wget combined with https, excluding several ommon health, localhost, and OIDC/JWKS patterns.
 29
 30### Possible investigation steps
 31
 32- Confirm who may exec into the target namespace: review kubernetes.audit.user.username, groups, impersonation, and
 33  source.ip / user_agent.original (kubectl, CI, webhooks).
 34- Map the pod (kubernetes.audit.objectRef.name) and workload owner; retrieve the exact decoded URI from
 35  Esql.decoded_uri and the reconstructed Esql.command in the alert.
 36- Search for adjacent audit events from the same identity: secret reads, additional execs, RBAC changes, or anonymous
 37  access.
 38- If malicious, revoke credentials used for exec, review RoleBindings for **`pods/exec`**, and inspect the pod
 39  filesystem or snapshot for dropped artifacts.
 40
 41### False positive analysis
 42
 43- Approved runbooks or support sessions may use kubectl exec with curl/wget to test egress or download vendor tools;
 44  document break-glass identities and tune exclusions.
 45- Some cluster components use HTTPS to **kubernetes.default.svc** or **.well-known** endpoints; the rule attempts to
 46  filter those—expand the exclusion list if your platform uses additional first-party URLs.
 47
 48### Response and remediation
 49
 50- Rotate any secrets accessible from the pod, cordon or delete the workload if compromised, and tighten RBAC so only
 51  required principals retain **`pods/exec`** on sensitive namespaces.
 52"""
 53references = [
 54    "https://attack.mitre.org/techniques/T1609/",
 55    "https://attack.mitre.org/techniques/T1105/",
 56]
 57risk_score = 73
 58rule_id = "c9d4e8f1-2a3b-4c5d-8e9f-0a1b2c3d4e5f"
 59severity = "high"
 60tags = [
 61    "Data Source: Kubernetes",
 62    "Domain: Kubernetes",
 63    "Use Case: Threat Detection",
 64    "Tactic: Execution",
 65    "Tactic: Command and Control",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "esql"
 70query = '''
 71FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
 72| WHERE kubernetes.audit.objectRef.subresource == "exec"
 73  AND kubernetes.audit.requestURI LIKE "*command=*"
 74| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
 75| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
 76| EVAL command = REPLACE(raw_commands, "command=", "")
 77| EVAL command = REPLACE(command, "&", " ")
 78| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
 79| WHERE Esql.executed_command IS NOT NULL 
 80  AND Esql.executed_command RLIKE """.*(curl.*https|wget.*https).*"""
 81  AND NOT Esql.executed_command RLIKE """.*(/api/v1/health|/healthz|/readyz|/livez|127\.0\.0\.1|localhost|/openid/v1/jwks|/openid-connect/certs|/.well-known/openid-configuration|/.well-known/jwks\.json|kubernetes\.default\.svc).*"""
 82| KEEP *
 83'''
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87
 88[[rule.threat.technique]]
 89id = "T1609"
 90name = "Container Administration Command"
 91reference = "https://attack.mitre.org/techniques/T1609/"
 92
 93[rule.threat.tactic]
 94id = "TA0002"
 95name = "Execution"
 96reference = "https://attack.mitre.org/tactics/TA0002/"
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100
101[[rule.threat.technique]]
102id = "T1105"
103name = "Ingress Tool Transfer"
104reference = "https://attack.mitre.org/techniques/T1105/"
105
106[rule.threat.tactic]
107id = "TA0011"
108name = "Command and Control"
109reference = "https://attack.mitre.org/tactics/TA0011/"