Kubernetes Static Pod Manifest File Access

  1[metadata]
  2creation_date = "2026/05/06"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2026/05/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Linux process executions where shells, editors, interpreters, or file/stream utilities reference
 11/etc/kubernetes/manifests in process arguments. That directory holds static pod manifests read by the kubelet;
 12interaction via editors, downloaders, kubectl, redirection helpers (tee, dd), or scripting runtimes may indicate
 13staging or tampering with manifests for persistence or privileged workload placement. Pairs with file-telemetry rules
 14that flag direct manifest creation on container workloads.
 15"""
 16false_positives = [
 17    """
 18    Cluster provisioning (kubeadm), configuration management, or administrators editing manifests during maintenance may
 19    match. Baseline approved automation and interactive admin sessions on control plane nodes.
 20    """,
 21]
 22from = "now-9m"
 23index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Kubernetes Static Pod Manifest File Access"
 27note = """## Triage and analysis
 28
 29### Investigating Kubernetes Static Pod Manifest File Access
 30
 31Review the full command line (process.args, process.command_line), user.id, user.name, process.parent, and whether the
 32session was interactive. Confirm if the host is a Kubernetes node or admin jump host where manifest edits are expected.
 33
 34### Possible investigation steps
 35
 36- Compare activity to change windows and identity baselines; prioritize events without matching change tickets.
 37- Inspect subsequent process and file events on the same host for writes under /etc/kubernetes/manifests or kubelet
 38  restarts.
 39- Correlate with Kubernetes audit logs and node/agent telemetry for related compromise indicators.
 40
 41### Response and remediation
 42
 43- If unauthorized, restore manifests from known-good sources, isolate the host, and review cluster integrity per incident
 44  policy.
 45"""
 46references = [
 47    "https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/",
 48    "https://attack.mitre.org/techniques/T1053/007/",
 49]
 50risk_score = 47
 51rule_id = "a698a653-e144-4e40-bade-35135935be45"
 52setup = """## Setup
 53
 54Requires **Elastic Defend** and/or **Auditd Manager** process telemetry (`logs-endpoint.events.process*`,
 55`logs-auditd_manager.auditd-*`, `auditbeat-*`) with command-line argument capture for exec events.
 56
 57### Elastic Defend
 58Install the Elastic Defend integration via Fleet on Linux hosts and use a policy that collects process events with
 59arguments.
 60
 61### Auditd Manager
 62Deploy Auditd Manager and ensure execve (or equivalent process) auditing is enabled so `process.args` and
 63`process.executable` populate for monitored binaries.
 64
 65See https://docs.elastic.co/integrations/auditd_manager
 66"""
 67severity = "medium"
 68tags = [
 69    "Data Source: Auditd Manager",
 70    "Data Source: Elastic Defend",
 71    "Domain: Endpoint",
 72    "Domain: Kubernetes",
 73    "Domain: Container",
 74    "OS: Linux",
 75    "Use Case: Threat Detection",
 76    "Tactic: Persistence",
 77    "Tactic: Privilege Escalation",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82query = '''
 83host.os.type:linux and event.category:process and event.action:(exec or executed) and 
 84process.name:(
 85  bash or sh or dash or zsh or 
 86  cat or cp or mv or touch or tee or dd or
 87  sed or awk or 
 88  curl or wget or scp or
 89  vi or vim or nano or echo or
 90  busybox or
 91  python* or perl* or ruby* or node or lua* or
 92  openssl or base64 or xxd or
 93  .*) and 
 94  process.args:(*/etc/kubernetes/manifests/* and not (/etc/kubernetes/manifests/etcd* or /etc/kubernetes/manifests/kube-apiserver* or /etc/kubernetes/manifests/kube-scheduler* or /etc/kubernetes/manifests/kube-controller-manager*))
 95'''
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99
100[[rule.threat.technique]]
101id = "T1053"
102name = "Scheduled Task/Job"
103reference = "https://attack.mitre.org/techniques/T1053/"
104
105[[rule.threat.technique.subtechnique]]
106id = "T1053.007"
107name = "Container Orchestration Job"
108reference = "https://attack.mitre.org/techniques/T1053/007/"
109
110[rule.threat.tactic]
111id = "TA0003"
112name = "Persistence"
113reference = "https://attack.mitre.org/tactics/TA0003/"
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1543"
120name = "Create or Modify System Process"
121reference = "https://attack.mitre.org/techniques/T1543/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1543.005"
125name = "Container Service"
126reference = "https://attack.mitre.org/techniques/T1543/005/"
127
128[rule.threat.tactic]
129id = "TA0004"
130name = "Privilege Escalation"
131reference = "https://attack.mitre.org/tactics/TA0004/"