Elastic Security Detection Rules

Kubectl Network Configuration Modification

Last updated 6 months ago on 2025-07-07
Created 6 months ago on 2025-06-19

About

This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes. This could indicate an adversary trying to manipulate network settings for malicious purposes, such as establishing unauthorized access or exfiltrating data.
Tags
Domain: EndpointDomain: ContainerDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: Elastic EndgameData Source: CrowdstrikeData Source: SentinelOneLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Protocol Tunneling (T1572)(external, opens in a new tab or window)

Proxy (T1090)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name == "kubectl" and (
  process.args == "port-forward" and process.command_line like "*:*" or
  process.args in ("proxy", "expose")
) and (
  process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
  (
    process.parent.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*") or
    process.parent.name like (".*", "*.sh")
  )
)

Install detection rules in Elastic Security

Detect Kubectl Network Configuration Modification in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).