Elastic Security Detection Rules

Potential Kubectl Masquerading via Unexpected Process

Last updated a month ago on 2025-07-07
Created a month ago on 2025-06-19

About

This rule detects potential kubectl masquerading activity by monitoring for process events where the process name is not "kubectl" but the command line arguments include kubectl-related commands. This could indicate an adversary attempting to masquerade as legitimate kubectl activity to evade detection. This rule covers evasion gaps introduced by renaming the kubectl binary, or placing it in an unusual directory.
Tags
Domain: EndpointDomain: ContainerDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic DefendData Source: Elastic EndgameData Source: CrowdstrikeData Source: SentinelOneLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Masquerading (T1036)(opens in a new tab or window)

Hide Artifacts (T1564)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started") and
(
  process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl", "/home/*/kubectl") or
  process.name like ".*"
) and
process.command_line like~ (

  // get and describe commands
  "*get po*", "*get deploy*", "*get node*", "*get svc*", "*get service*", "*get secret*", "*get clusterrole*", "*get ingress*",
  "*get configmap*", "*describe po*", "*describe deploy*", "*describe node*", "*describe svc*", "*describe service*",
  "*describe secret*", "*describe configmap*", "*describe clusterrole*", "*describe ingress*",
  
  // exec commands
  "*exec -it*", "*exec --stdin*", "*exec --tty*",
  
  // networking commands
  "*port-forward* ", "*proxy --port*", "*run --image=*", "*expose*",

  // authentication/impersonation commands
  "*auth can-i*", "*--kubeconfig*", "*--as *", "*--as=*", "*--as-group*", "*--as-uid*"
) and not (
  process.executable like "/tmp/newroot/*" or
  process.name == ".flatpak-wrapped"
)

Install detection rules in Elastic Security

Detect Potential Kubectl Masquerading via Unexpected Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).