{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/kubelet/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kubelet","Elastic Defend","auditd_manager"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","lateral-movement","kubelet","linux","container"],"_cs_type":"advisory","_cs_vendors":["Elastic","Kubernetes"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious network connections to the Kubernetes Kubelet API, specifically targeting ports 10250 and 10255, from Linux hosts within internal network ranges. Attackers frequently exploit weak authentication or network controls to access the Kubelet API, potentially enabling them to enumerate pods, retrieve logs, and execute commands on nodes. This activity often originates from common scripting utilities like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, or interpreters like \u003ccode\u003epython\u003c/code\u003e and \u003ccode\u003enode\u003c/code\u003e, particularly when executed from world-writable directories such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or \u003ccode\u003e/dev/shm\u003c/code\u003e. This technique is often a component of container and cluster lateral movement, where the attacker seeks to expand their access within the Kubernetes environment. The rule is designed to detect these unauthorized attempts and alert security teams to investigate potential breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised container or host within the Kubernetes cluster, potentially through exploiting a vulnerability in a running application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance command, such as \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, from within the compromised container, targeting the Kubelet API on port 10250 or 10255.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e command is executed from a temporary directory like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate running pods and services by querying the \u003ccode\u003e/pods\u003c/code\u003e or \u003ccode\u003e/runningpods\u003c/code\u003e endpoints of the Kubelet API.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker identifies a target pod within the cluster based on the enumerated information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Kubelet API to execute commands within the target pod, potentially escalating privileges or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other nodes or containers within the Kubernetes cluster, repeating the reconnaissance and exploitation steps.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to gain control over the entire Kubernetes cluster, enabling data exfiltration, resource hijacking, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Kubelet API can lead to a complete compromise of the Kubernetes cluster. Attackers can gain unauthorized access to sensitive data, escalate privileges, and disrupt critical services. While the number of victims may vary depending on the organization\u0026rsquo;s security posture, a successful attack could impact all applications and data managed by the cluster. Organizations in any sector utilizing Kubernetes are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable syscall auditing and ensure that \u003ccode\u003eevent.category:network\u003c/code\u003e events are generated for network connections, as outlined in the rule\u0026rsquo;s setup guide.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eRestrict pod-to-node access to port 10250 using network policies or security groups to limit the attack surface, as noted in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eImplement Kubernetes API audit logging to detect unauthorized access attempts and credential access, correlating with process argument telemetry as mentioned in the triage steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-kubelet-api-connection/","summary":"The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.","title":"Kubelet API Connection Attempt to Internal IP","url":"https://feed.craftedsignal.io/briefs/2024-01-kubelet-api-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager","Docker","containerd","kubelet"],"_cs_severities":["medium"],"_cs_tags":["container","privilege-escalation","lateral-movement","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","Docker","Kubernetes"],"content_html":"\u003cp\u003eThis threat involves unauthorized processes connecting directly to container runtime sockets (Docker or Containerd) on Linux systems. This bypasses Kubernetes API server restrictions, potentially allowing attackers to create, execute, or manipulate containers without proper authorization or logging. The risk lies in attackers circumventing RBAC, admission webhooks, and pod security standards. The attack can start when a compromised process attempts to connect to the Docker or Containerd socket, potentially leading to privilege escalation and lateral movement within the containerized environment. This attack is significant because it undermines core security controls within container orchestration platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised process gains initial access to the host system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to connect to the container runtime socket (e.g., \u003ccode\u003e/var/run/docker.sock\u003c/code\u003e or \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe process bypasses the Kubernetes API server and associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the direct socket connection to create a new container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data or resources within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised container to move laterally to other containers or hosts within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Kubernetes security measures, create unauthorized containers, and potentially gain control over the entire cluster. The observed impact includes privilege escalation, lateral movement, and data exfiltration. The severity of this attack depends on the level of access granted to the compromised container and the sensitivity of the data and resources within the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Auditd Manager to capture network and socket events, specifically monitoring for \u003ccode\u003econnect\u003c/code\u003e calls to Unix sockets as described in the \u003ca href=\"https://docs.elastic.co/integrations/auditd_manager\"\u003eAuditd Manager documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unusual Process Connecting to Docker or Containerd Socket\u0026rdquo; to detect suspicious processes connecting to container runtime sockets, tuning \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003euser.name\u003c/code\u003e for known legitimate processes.\u003c/li\u003e\n\u003cli\u003eMonitor file permissions on the socket paths (\u003ccode\u003e/var/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/var/run/containerd/containerd.sock\u003c/code\u003e, \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e) and restrict access to trusted groups only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-container-socket-connection/","summary":"An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.","title":"Unusual Process Connecting to Docker or Containerd Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-container-socket-connection/"}],"language":"en","title":"CraftedSignal Threat Feed — Kubelet","version":"https://jsonfeed.org/version/1.1"}