Elastic Security Detection Rules

Potential Direct Kubelet Access via Process Arguments

Last updated 14 days ago on 2026-04-28
Created 14 days ago on 2026-04-28

About

Detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255). Adversaries may probe or access Kubelet endpoints to enumerate pods, fetch logs, or attempt remote execution, which can enable discovery and lateral movement in Kubernetes environments.
Tags
Domain: EndpointDomain: ContainerDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: DiscoveryTactic: Lateral MovementData Source: Elastic DefendData Source: Auditd ManagerLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Lateral Movement (TA0008)(external, opens in a new tab or window)

Remote Services (T1021)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

Container and Resource Discovery (T1613)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

False Positive Examples
Cluster operators and node diagnostics may legitimately probe Kubelet endpoints (for example /pods or /metrics) during troubleshooting. Validate the initiating user, session, and whether the target node/IP is expected for the host.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*logs-endpoint.events.process*
Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
(
  /* direct utility execution */
  process.name like ("curl", "wget", "python*", "perl*", "php*", "node*", "java", "ruby*", "lua*", ".*") or
  
  process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
) and
process.args like ("http*:10250/*", "http*:10255/*", "wss:*:10250/*", "wss:*:10255/*")

Install detection rules in Elastic Security

Detect Potential Direct Kubelet Access via Process Arguments in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).