administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate kubelet api connectivity or enumerate pods. confirm the user/session and change window before escalating.

t1059
t1609
t1613
linux
elastic

Techniques

T1059
T1609
T1613

Sample rules

Potential Kubeletctl Execution

source: elastic
technicques:
- T1059
- T1609
- T1613

Description

Detects the execution of kubeletctl on Linux hosts. Kubeletctl is a command-line tool that can be used to interact with the Kubelet API directly, simplifying access to Kubelet endpoints that can be used for discovery and, in some cases, lateral movement within Kubernetes environments.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and 
(
  process.name == "kubeletctl" or
  (process.args in ("run", "exec", "scan", "pods", "runningpods", "attach", "portForward", "cri", "pid2pod") and process.args:("*:10250*", "*:10255*"))
)