Kubeconfig File Discovery

  1[metadata]
  2creation_date = "2025/06/17"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/07/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10The kubeconfig file is a critical component in Kubernetes environments, containing configuration
 11details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to,
 12create, or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or
 13move laterally within the cluster. This rule detects process discovery executions that involve
 14kubeconfig files, particularly those executed from common shell environments or world-writeable
 15directories.
 16"""
 17from = "now-9m"
 18index = [
 19    "logs-endpoint.events.process*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Kubeconfig File Discovery"
 24note = """ ## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Kubeconfig File Discovery
 30
 31Kubeconfig files are essential in Kubernetes, storing credentials and configurations for cluster access. Adversaries may target these files to gain unauthorized access or move laterally within clusters. The detection rule identifies suspicious processes interacting with kubeconfig files, especially from common shell environments or risky directories, flagging potential misuse by excluding benign commands like 'stat' or 'md5sum'.
 32
 33### Possible investigation steps
 34
 35- Review the process details to identify the parent process name and executable path, focusing on those originating from common shell environments or risky directories like /tmp, /var/tmp, or /dev/shm.
 36- Examine the process arguments to determine if they include references to sensitive kubeconfig files such as admin.conf, kubelet.conf, or any files within /etc/kubernetes or ~/.kube directories.
 37- Check the working directory of the process to see if it aligns with known Kubernetes configuration paths like /etc/kubernetes or ~/.kube, which may indicate an attempt to access or modify kubeconfig files.
 38- Investigate the user account associated with the process to assess whether it has legitimate access to Kubernetes configurations or if it might be compromised.
 39- Correlate the event with other recent activities from the same user or IP address to identify any patterns of suspicious behavior or potential lateral movement within the cluster.
 40- Review any related alerts or logs for the same host or container to gather additional context on the system's state and any other potential indicators of compromise.
 41
 42### False positive analysis
 43
 44- Processes like 'stat' and 'md5sum' are excluded from detection as they are commonly used for legitimate file checks. Ensure these exclusions are correctly configured to prevent unnecessary alerts.
 45- Scripts located in user directories such as '/home/*/.kube' may trigger alerts if they interact with kubeconfig files. Consider adding exceptions for known scripts or users that regularly access these files for legitimate purposes.
 46- Processes originating from world-writeable directories like '/tmp' or '/var/tmp' can be flagged. Review these alerts to identify routine operations and whitelist specific processes or directories that are part of regular maintenance tasks.
 47- Alerts triggered by processes with names matching patterns like '*.sh' may include legitimate scripts. Evaluate these scripts and exclude them if they are part of standard operations or administrative tasks.
 48- Regular administrative tasks involving kubeconfig files in directories like '/etc/kubernetes' may be flagged. Implement exceptions for known administrative processes to reduce false positives while maintaining security oversight.
 49
 50### Response and remediation
 51
 52- Immediately isolate the affected system to prevent further unauthorized access to the Kubernetes cluster.
 53- Revoke any compromised credentials associated with the kubeconfig files and issue new credentials to authorized users.
 54- Conduct a thorough review of recent access logs and audit trails for the Kubernetes cluster to identify any unauthorized access or lateral movement attempts.
 55- Restore any modified or deleted kubeconfig files from a secure backup to ensure the integrity of the cluster configuration.
 56- Implement stricter access controls and permissions for directories containing kubeconfig files, ensuring only authorized personnel have access.
 57- Escalate the incident to the security operations team for further investigation and to determine if additional clusters or systems are affected.
 58- Enhance monitoring and alerting for suspicious activities related to kubeconfig files, leveraging the MITRE ATT&CK framework to identify potential discovery tactics.
 59"""
 60references = [
 61    "https://kubernetes-threat-matrix.redguard.ch/initial-access/kubeconfig-file/",
 62    "https://kubenomicon.com/Initial_access/Kubeconfig_file.html",
 63    ]
 64risk_score = 21
 65rule_id = "9a6f5d74-c7e7-4a8b-945e-462c102daee4"
 66setup = """## Setup
 67
 68This rule requires data coming in from Elastic Defend.
 69
 70### Elastic Defend Integration Setup
 71Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 72
 73#### Prerequisite Requirements:
 74- Fleet is required for Elastic Defend.
 75- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 76
 77#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 78- Go to the Kibana home page and click "Add integrations".
 79- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 80- Click "Add Elastic Defend".
 81- Configure the integration name and optionally add a description.
 82- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 83- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 84- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 85- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 86For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 87- Click "Save and Continue".
 88- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 89For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 90"""
 91severity = "low"
 92tags = [
 93    "Domain: Endpoint",
 94    "Domain: Container",
 95    "Domain: Kubernetes",
 96    "OS: Linux",
 97    "Use Case: Threat Detection",
 98    "Tactic: Discovery",
 99    "Data Source: Elastic Defend",
100    "Resources: Investigation Guide",
101]
102timestamp_override = "event.ingested"
103type = "eql"
104query = '''
105process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
106  process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
107  (
108    process.parent.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*") or
109    process.parent.name like (".*", "*.sh")
110  )
111) and
112(
113  (
114    process.working_directory like ("/etc/kubernetes", "/root/.kube", "/home/*/.kube") and
115    process.args in ("kubeconfig", "admin.conf", "super-admin.conf", "kubelet.conf", "controller-manager.conf", "scheduler.conf")
116  ) or
117  process.args like (
118    "/etc/kubernetes/admin.conf",
119    "/etc/kubernetes/super-admin.conf",
120    "/etc/kubernetes/kubelet.conf",
121    "/etc/kubernetes/controller-manager.conf",
122    "/etc/kubernetes/scheduler.conf",
123    "/home/*/.kube/config",
124    "/root/.kube/config",
125    "/var/lib/*/kubeconfig"
126  )
127) and not process.name in ("stat", "md5sum", "dirname")
128'''
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132
133[[rule.threat.technique]]
134id = "T1613"
135name = "Container and Resource Discovery"
136reference = "https://attack.mitre.org/techniques/T1613/"
137
138[rule.threat.tactic]
139id = "TA0007"
140name = "Discovery"
141reference = "https://attack.mitre.org/tactics/TA0007/"