{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kubeletctl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kubernetes","kubeletctl","container","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe kubeletctl tool simplifies access to Kubelet endpoints, potentially allowing attackers to perform discovery and lateral movement within Kubernetes environments. The tool can be used to enumerate pods and nodes, and attempt actions such as exec/attach/portForward. Attackers may run \u003ccode\u003ekubeletctl scan\u003c/code\u003e to find reachable Kubelet endpoints, then use \u003ccode\u003epods\u003c/code\u003e or \u003ccode\u003eexec/attach\u003c/code\u003e for follow-on access. This activity is typically observed on Linux hosts within containerized environments. Defenders should monitor for the execution of kubeletctl with suspicious arguments or connections to Kubelet ports (commonly 10250/10255).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a compromised host within the Kubernetes environment.\u003c/li\u003e\n\u003cli\u003eAttacker downloads or transfers the \u003ccode\u003ekubeletctl\u003c/code\u003e binary to the compromised host.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003ekubeletctl scan\u003c/code\u003e to identify accessible Kubelet API endpoints by scanning for open ports 10250 and 10255.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003ekubeletctl pods\u003c/code\u003e to enumerate running pods on a targeted node based on the scan results.\u003c/li\u003e\n\u003cli\u003eAttacker leverages \u003ccode\u003ekubeletctl exec\u003c/code\u003e or \u003ccode\u003ekubeletctl attach\u003c/code\u003e to gain shell access to a pod.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised pod to move laterally within the Kubernetes cluster, potentially accessing sensitive data or resources.\u003c/li\u003e\n\u003cli\u003eAttacker may attempt to access Kubernetes credentials, such as service account tokens or kubeconfigs, for further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to enumerate pods and nodes, execute commands within containers, and potentially move laterally within the Kubernetes cluster. This could lead to unauthorized access to sensitive data, resource hijacking, or complete compromise of the Kubernetes environment. The CyberArk research cited in the references describes how kubeletctl can be leveraged to attack Kubernetes clusters.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Kubeletctl Execution\u003c/code\u003e to detect suspicious execution of the \u003ccode\u003ekubeletctl\u003c/code\u003e binary on Linux hosts, focusing on command-line arguments such as \u003ccode\u003escan\u003c/code\u003e, \u003ccode\u003epods\u003c/code\u003e, \u003ccode\u003eexec\u003c/code\u003e, and \u003ccode\u003eattach\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor host and container telemetry for connections to Kubelet ports (10250/10255) using a network connection rule and look for scanning patterns across multiple nodes.\u003c/li\u003e\n\u003cli\u003eRestrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization based on the recommendations in the provided references.\u003c/li\u003e\n\u003cli\u003eRotate/revoke any exposed Kubernetes credentials (service account tokens, kubeconfigs, client certs) and investigate for follow-on discovery or execution attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kubeletctl-execution/","summary":"This rule detects the execution of kubeletctl, a command-line tool used to interact with the Kubelet API, on Linux hosts, potentially leading to discovery and lateral movement within Kubernetes environments.","title":"Potential Kubeletctl Execution on Linux Hosts","url":"https://feed.craftedsignal.io/briefs/2024-01-kubeletctl-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["container","kubeletctl","lateral-movement","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule detects the execution of \u003ccode\u003ekubeletctl\u003c/code\u003e inside a container. Kubeletctl is a command-line tool that interacts with the Kubelet API directly, making the often undocumented API more accessible. Attackers may use it to enumerate the Kubelet API or other resources within the container, potentially indicating lateral movement within the pod. The detection is based on the \u0026ldquo;Defend for Containers\u0026rdquo; integration (version 9.3.0 and later) within the Elastic stack. This activity is significant because \u003ccode\u003ekubeletctl\u003c/code\u003e can expose pod and node details, enabling actions that facilitate discovery and lateral movement from a compromised container.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, possibly through a vulnerability in the containerized application or a misconfigured Kubernetes environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ekubeletctl\u003c/code\u003e inside the compromised container. This could be facilitated by the tool being present in the container image or downloaded post-compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubeletctl scan\u003c/code\u003e to discover Kubelet endpoints within the Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003ekubeletctl pods\u003c/code\u003e or \u003ccode\u003ekubeletctl runningpods\u003c/code\u003e to enumerate running pods and their details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered pod information to identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to use \u003ccode\u003ekubeletctl exec\u003c/code\u003e or \u003ccode\u003ekubeletctl attach\u003c/code\u003e to gain access to other pods within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to port forward using \u003ccode\u003ekubeletctl portForward\u003c/code\u003e to establish connections to services running in other pods.\u003c/li\u003e\n\u003cli\u003eUpon successful lateral movement, the attacker performs further reconnaissance or deploys malicious payloads to achieve their objectives, such as data exfiltration or denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of \u003ccode\u003ekubeletctl\u003c/code\u003e within a container can lead to the exposure of sensitive information about the Kubernetes cluster, including pod details and internal network configurations. This can enable attackers to move laterally within the cluster, potentially compromising other applications and data. The impact could range from data breaches and service disruptions to full cluster compromise depending on the attacker\u0026rsquo;s objectives and the scope of the compromised container\u0026rsquo;s access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the execution of \u003ccode\u003ekubeletctl\u003c/code\u003e within containers based on process name and arguments.\u003c/li\u003e\n\u003cli\u003eMonitor container network activity for connections to node addresses on Kubelet ports (commonly 10250/10255) and investigate any suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict pod-to-node access to the Kubelet API.\u003c/li\u003e\n\u003cli\u003eHarden container images by removing unnecessary tools like \u003ccode\u003ekubeletctl\u003c/code\u003e and enforce least privilege principles.\u003c/li\u003e\n\u003cli\u003eEnable and review Kubernetes audit logs to identify the source of interactive sessions into containers, correlating with timestamps of \u003ccode\u003ekubeletctl\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnforce Pod Security Standards to restrict privileged pods and limit node API exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kubeletctl-container-execution/","summary":"This rule detects the execution of kubeletctl inside a container, which can be used to enumerate the Kubelet API or other resources inside the container, potentially indicating lateral movement attempts within the pod.","title":"Kubeletctl Execution Inside Container Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-kubeletctl-container-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Kubeletctl","version":"https://jsonfeed.org/version/1.1"}