Loading

Potential Kubeletctl Execution

Detects the execution of kubeletctl on Linux hosts. Kubeletctl is a command-line tool that can be used to interact with the Kubelet API directly, simplifying access to Kubelet endpoints that can be used for discovery and, in some cases, lateral movement within Kubernetes environments.

Rule type: eql
Rule indices:

  • auditbeat-*
  • logs-auditd_manager.auditd-*
  • logs-endpoint.events.process*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • Domain: Container
  • Domain: Kubernetes
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Tactic: Discovery
  • Data Source: Elastic Defend
  • Data Source: Auditd Manager
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

This alert flags kubeletctl execution on a Linux host. Kubeletctl provides direct access to the node’s Kubelet API and can be used to enumerate pods and nodes and attempt actions such as exec/attach/portForward. A common attacker pattern is running kubeletctl scan to find reachable Kubelet endpoints, then using pods or exec/attach for follow-on access.

  • Review the full command line to identify the intended operation (scan/pods/exec/attach/portForward) and the target Kubelet endpoint (node IP/hostname and port via -s/--server).
  • Correlate with host and container telemetry for connections to Kubelet ports (commonly 10250/10255) and look for scanning patterns across multiple nodes.
  • Check whether Kubernetes credentials were accessed or used (service account tokens, kubeconfigs, client certs) and correlate with Kubernetes audit logs for follow-on actions.
  • Approved operational debugging or incident response activity that uses kubeletctl for diagnostics.
  • Restrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization.
  • Rotate/revoke any exposed Kubernetes credentials and investigate for follow-on discovery or execution attempts.
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
(
  process.name == "kubeletctl" or
  (process.args in ("run", "exec", "scan", "pods", "runningpods", "attach", "portForward", "cri", "pid2pod") and process.args:("*:10250*", "*:10255*"))
)

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK