LoFP / cluster provisioning (kubeadm), configuration management, or administrators editing manifests during maintenance may match. baseline approved automation and interactive admin sessions on control plane nodes.

Techniques

• T1053
• T1543

Sample rules

Kubernetes Static Pod Manifest File Access

• source: elastic
• technicques:
  • T1053
  • T1543

Description

Detects Linux process executions where shells, editors, interpreters, or file/stream utilities reference /etc/kubernetes/manifests in process arguments. That directory holds static pod manifests read by the kubelet; interaction via editors, downloaders, kubectl, redirection helpers (tee, dd), or scripting runtimes may indicate staging or tampering with manifests for persistence or privileged workload placement. Pairs with file-telemetry rules that flag direct manifest creation on container workloads.

Detection logic

host.os.type:linux and event.category:process and event.action:(exec or executed) and 
process.name:(
  bash or sh or dash or zsh or 
  cat or cp or mv or touch or tee or dd or
  sed or awk or 
  curl or wget or scp or
  vi or vim or nano or echo or
  busybox or
  python* or perl* or ruby* or node or lua* or
  openssl or base64 or xxd or
  .*) and 
  process.args:(*/etc/kubernetes/manifests/* and not (/etc/kubernetes/manifests/etcd* or /etc/kubernetes/manifests/kube-apiserver* or /etc/kubernetes/manifests/kube-scheduler* or /etc/kubernetes/manifests/kube-controller-manager*))