Potential Kubeletctl Execution

  1[metadata]
  2creation_date = "2026/04/28"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2026/04/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the execution of kubeletctl on Linux hosts. Kubeletctl is a command-line tool that can be used to interact with
 11the Kubelet API directly, simplifying access to Kubelet endpoints that can be used for discovery and, in some cases,
 12lateral movement within Kubernetes environments.
 13"""
 14false_positives = [
 15    """
 16    Administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate
 17    Kubelet API connectivity or enumerate pods. Confirm the user/session and change window before escalating.
 18    """,
 19]
 20from = "now-9m"
 21index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Potential Kubeletctl Execution"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Potential Kubeletctl Execution
 31
 32This alert flags kubeletctl execution on a Linux host. Kubeletctl provides direct access to the node’s Kubelet API and can
 33be used to enumerate pods and nodes and attempt actions such as exec/attach/portForward. A common attacker pattern is
 34running `kubeletctl scan` to find reachable Kubelet endpoints, then using `pods` or `exec/attach` for follow-on access.
 35
 36### Possible investigation steps
 37
 38- Review the full command line to identify the intended operation (scan/pods/exec/attach/portForward) and the target
 39  Kubelet endpoint (node IP/hostname and port via `-s`/`--server`).
 40- Correlate with host and container telemetry for connections to Kubelet ports (commonly 10250/10255) and look for
 41  scanning patterns across multiple nodes.
 42- Check whether Kubernetes credentials were accessed or used (service account tokens, kubeconfigs, client certs) and
 43  correlate with Kubernetes audit logs for follow-on actions.
 44
 45### False positive analysis
 46
 47- Approved operational debugging or incident response activity that uses kubeletctl for diagnostics.
 48
 49### Response and remediation
 50
 51- Restrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization.
 52- Rotate/revoke any exposed Kubernetes credentials and investigate for follow-on discovery or execution attempts.
 53"""
 54references = [
 55    "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
 56    "https://github.com/cyberark/kubeletctl",
 57]
 58risk_score = 47
 59rule_id = "f7a131f8-44b7-4957-99a4-e6c54d93d816"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "Domain: Container",
 64    "Domain: Kubernetes",
 65    "OS: Linux",
 66    "Use Case: Threat Detection",
 67    "Tactic: Execution",
 68    "Tactic: Discovery",
 69    "Data Source: Elastic Defend",
 70    "Data Source: Auditd Manager",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "eql"
 75query = '''
 76process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and 
 77(
 78  process.name == "kubeletctl" or
 79  (process.args in ("run", "exec", "scan", "pods", "runningpods", "attach", "portForward", "cri", "pid2pod") and process.args:("*:10250*", "*:10255*"))
 80)
 81'''
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85
 86[[rule.threat.technique]]
 87id = "T1613"
 88name = "Container and Resource Discovery"
 89reference = "https://attack.mitre.org/techniques/T1613/"
 90
 91[rule.threat.tactic]
 92id = "TA0007"
 93name = "Discovery"
 94reference = "https://attack.mitre.org/tactics/TA0007/"
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98
 99[[rule.threat.technique]]
100id = "T1059"
101name = "Command and Scripting Interpreter"
102reference = "https://attack.mitre.org/techniques/T1059/"
103
104[[rule.threat.technique.subtechnique]]
105id = "T1059.004"
106name = "Unix Shell"
107reference = "https://attack.mitre.org/techniques/T1059/004/"
108
109[[rule.threat.technique]]
110id = "T1609"
111name = "Container Administration Command"
112reference = "https://attack.mitre.org/techniques/T1609/"
113
114[rule.threat.tactic]
115id = "TA0002"
116name = "Execution"
117reference = "https://attack.mitre.org/tactics/TA0002/"