Kubelet Certificate File Access Detected via Defend for Containers

This rule detects the access of the Kubelet certificate file inside a container. The Kubelet certificate file is used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries to gain access to the cluster. There is a current limitation in the defend for containers file sensor that prevents file open events from being logged for file open events without write intent.

Rule type: eql
Rule indices:

• logs-cloud_defend.file*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api
• https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster
• https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/

Tags:

• Data Source: Elastic Defend for Containers
• Domain: Container
• OS: Linux
• Use Case: Threat Detection
• Tactic: Discovery

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
file.path like "/var/lib/kubelet/pki/*" and process.interactive == true and container.id like "?*"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: Container and Resource Discovery
  • Id: T1613
  • Reference URL: https://attack.mitre.org/techniques/T1613/