cluster operators and node diagnostics may legitimately probe kubelet endpoints (for example /pods or /metrics) during troubleshooting. validate the initiating user, session, and whether the target node/ip is expected for the host.

t1021
t1059
t1613
linux
elastic

Techniques

T1021
T1059
T1613

Sample rules

Potential Direct Kubelet Access via Process Arguments

source: elastic
technicques:
- T1021
- T1059
- T1613

Description

Detects potential direct Kubelet API access attempts on Linux by identifying process executions whose arguments contain URLs targeting Kubelet ports (10250/10255). Adversaries may probe or access Kubelet endpoints to enumerate pods, fetch logs, or attempt remote execution, which can enable discovery and lateral movement in Kubernetes environments.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
(
  /* direct utility execution */
  process.name like ("curl", "wget", "python*", "perl*", "php*", "node*", "java", "ruby*", "lua*", ".*") or
  
  process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
) and
process.args like ("http*:10250/*", "http*:10255/*", "wss:*:10250/*", "wss:*:10255/*")