Potential Kubeletctl Execution

About

Tags

Domain: EndpointDomain: ContainerDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: ExecutionTactic: DiscoveryData Source: Elastic DefendData Source: Auditd ManagerLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

↳ Container Administration Command (T1609)(external, opens in a new tab or window)

False Positive Examples

Administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate Kubelet API connectivity or enumerate pods. Confirm the user/session and change window before escalating.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*logs-auditd_manager.auditd-*logs-endpoint.events.process*

Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and 
(
  process.name == "kubeletctl" or
  (process.args in ("run", "exec", "scan", "pods", "runningpods", "attach", "portForward", "cri", "pid2pod") and process.args:("*:10250*", "*:10255*"))
)