Kubectl Configuration Discovery

This rule detects the execution of kubectl commands that are commonly used for configuration discovery in Kubernetes environments. It looks for process events where kubectl is executed with arguments that query configuration information, such as configmaps. In environments where kubectl is not expected to be used, this could indicate potential reconnaissance activity by an adversary.

Rule type: eql
Rule indices:

• logs-endpoint.events.*
• endgame-*
• auditbeat-*
• logs-auditd_manager.auditd-*

Rule Severity: low
Risk Score: 21
Runs every: 60m
Searches indices from: now-119m
Maximum alerts per execution: ?
References:

Tags:

• Domain: Container
• Domain: Endpoint
• Domain: Kubernetes
• OS: Linux
• Use Case: Threat Detection
• Tactic: Discovery
• Rule Type: BBR
• Data Source: Elastic Defend
• Data Source: Elastic Endgame
• Data Source: Auditd Manager

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "executed", "process_started") and
process.name == "kubectl" and process.args in ("get", "describe") and process.args in ("configmap", "configmaps")
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: Container and Resource Discovery
  • Id: T1613
  • Reference URL: https://attack.mitre.org/techniques/T1613/