Potential Direct Kubelet Access via Process Arguments

  1[metadata]
  2creation_date = "2026/04/28"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2026/04/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain
 11URLs targeting Kubelet ports (10250/10255). Adversaries may probe or access Kubelet endpoints to enumerate pods, fetch
 12logs, or attempt remote execution, which can enable discovery and lateral movement in Kubernetes environments.
 13"""
 14false_positives = [
 15    """
 16    Cluster operators and node diagnostics may legitimately probe Kubelet endpoints (for example /pods or /metrics) during
 17    troubleshooting. Validate the initiating user, session, and whether the target node/IP is expected for the host.
 18    """,
 19]
 20from = "now-9m"
 21index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Potential Direct Kubelet Access via Process Arguments"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Potential Direct Kubelet Access via Process Arguments
 31
 32This detection flags a process on a Linux host whose arguments include a URL targeting the Kubelet API ports 10250/10255.
 33Attackers often use `curl`, `wget`, or scripting runtimes to access endpoints such as `/pods`, `/runningpods`,
 34`/metrics`, `/exec`, or `/containerLogs`. Successful access can provide node and workload visibility, and in some cases
 35enable actions that facilitate lateral movement within the cluster.
 36
 37### Possible investigation steps
 38
 39- Extract and reconstruct the full URL from `process.args` / `process.command_line`, including the hostname/IP, port, and
 40  path, and determine whether the request intent was discovery or execution.
 41- Identify the user and session that launched the process and whether it originated from an interactive shell, scheduled
 42  task, or automation.
 43- Correlate the timestamp with Kubernetes audit logs and node/Kubelet logs to confirm whether the request was
 44  authenticated and whether it returned success.
 45- If the destination is a node IP, check whether this host should be allowed to reach node Kubelet ports and whether
 46  other nodes were contacted in a scanning pattern.
 47
 48### False positive analysis
 49
 50- SRE/operator troubleshooting sessions validating Kubelet reachability or TLS/auth behavior.
 51- Approved health checks, debugging scripts, or node agents that query Kubelet endpoints.
 52
 53### Response and remediation
 54
 55- Restrict access to Kubelet ports 10250/10255 at the network layer; block pod-to-node or host-to-node traffic except for
 56  approved agents.
 57- Rotate any potentially exposed credentials (service account tokens, client certs, kubeconfigs) and assess for follow-on
 58  activity such as `exec/attach` and secret reads.
 59- Harden Kubelet configuration (disable anonymous auth, enforce webhook authn/authz) and review RBAC/admission controls.
 60"""
 61references = [
 62    "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api",
 63    "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster",
 64    "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/",
 65]
 66risk_score = 73
 67rule_id = "6aa52f86-18f1-4a5a-a0ac-e2b5db8af589"
 68severity = "high"
 69tags = [
 70    "Domain: Endpoint",
 71    "Domain: Container",
 72    "Domain: Kubernetes",
 73    "OS: Linux",
 74    "Use Case: Threat Detection",
 75    "Tactic: Discovery",
 76    "Tactic: Lateral Movement",
 77    "Data Source: Elastic Defend",
 78    "Data Source: Auditd Manager",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83query = '''
 84process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
 85(
 86  /* direct utility execution */
 87  process.name like ("curl", "wget", "python*", "perl*", "php*", "node*", "java", "ruby*", "lua*", ".*") or
 88  
 89  process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
 90) and
 91process.args like ("http*:10250/*", "http*:10255/*", "wss:*:10250/*", "wss:*:10255/*")
 92'''
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96
 97[[rule.threat.technique]]
 98id = "T1021"
 99name = "Remote Services"
100reference = "https://attack.mitre.org/techniques/T1021/"
101
102[rule.threat.tactic]
103id = "TA0008"
104name = "Lateral Movement"
105reference = "https://attack.mitre.org/tactics/TA0008/"
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109
110[[rule.threat.technique]]
111id = "T1613"
112name = "Container and Resource Discovery"
113reference = "https://attack.mitre.org/techniques/T1613/"
114
115[rule.threat.tactic]
116id = "TA0007"
117name = "Discovery"
118reference = "https://attack.mitre.org/tactics/TA0007/"
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122
123[[rule.threat.technique]]
124id = "T1059"
125name = "Command and Scripting Interpreter"
126reference = "https://attack.mitre.org/techniques/T1059/"
127
128[[rule.threat.technique.subtechnique]]
129id = "T1059.004"
130name = "Unix Shell"
131reference = "https://attack.mitre.org/techniques/T1059/004/"
132
133[rule.threat.tactic]
134id = "TA0002"
135name = "Execution"
136reference = "https://attack.mitre.org/tactics/TA0002/"