Potential Kubeletctl Execution on Linux Hosts

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The kubeletctl tool simplifies access to Kubelet endpoints, potentially allowing attackers to perform discovery and lateral movement within Kubernetes environments. The tool can be used to enumerate pods and nodes, and attempt actions such as exec/attach/portForward. Attackers may run kubeletctl scan to find reachable Kubelet endpoints, then use pods or exec/attach for follow-on access. This activity is typically observed on Linux hosts within containerized environments. Defenders should monitor for the execution of kubeletctl with suspicious arguments or connections to Kubelet ports (commonly 10250/10255).

Attack Chain

Attacker gains initial access to a compromised host within the Kubernetes environment.
Attacker downloads or transfers the kubeletctl binary to the compromised host.
Attacker executes kubeletctl scan to identify accessible Kubelet API endpoints by scanning for open ports 10250 and 10255.
Attacker uses kubeletctl pods to enumerate running pods on a targeted node based on the scan results.
Attacker leverages kubeletctl exec or kubeletctl attach to gain shell access to a pod.
Attacker uses the compromised pod to move laterally within the Kubernetes cluster, potentially accessing sensitive data or resources.
Attacker may attempt to access Kubernetes credentials, such as service account tokens or kubeconfigs, for further privilege escalation.

Impact

Successful exploitation can allow attackers to enumerate pods and nodes, execute commands within containers, and potentially move laterally within the Kubernetes cluster. This could lead to unauthorized access to sensitive data, resource hijacking, or complete compromise of the Kubernetes environment. The CyberArk research cited in the references describes how kubeletctl can be leveraged to attack Kubernetes clusters.

Recommendation

Deploy the Sigma rule Potential Kubeletctl Execution to detect suspicious execution of the kubeletctl binary on Linux hosts, focusing on command-line arguments such as scan, pods, exec, and attach.
Monitor host and container telemetry for connections to Kubelet ports (10250/10255) using a network connection rule and look for scanning patterns across multiple nodes.
Restrict access to Kubelet ports at the network layer and harden Kubelet authentication/authorization based on the recommendations in the provided references.
Rotate/revoke any exposed Kubernetes credentials (service account tokens, kubeconfigs, client certs) and investigate for follow-on discovery or execution attempts.

Kubeletctl Execution Inside Container Detected

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This rule detects the execution of kubeletctl inside a container. Kubeletctl is a command-line tool that interacts with the Kubelet API directly, making the often undocumented API more accessible. Attackers may use it to enumerate the Kubelet API or other resources within the container, potentially indicating lateral movement within the pod. The detection is based on the “Defend for Containers” integration (version 9.3.0 and later) within the Elastic stack. This activity is significant because kubeletctl can expose pod and node details, enabling actions that facilitate discovery and lateral movement from a compromised container.

Attack Chain

An attacker gains initial access to a container, possibly through a vulnerability in the containerized application or a misconfigured Kubernetes environment.
The attacker executes kubeletctl inside the compromised container. This could be facilitated by the tool being present in the container image or downloaded post-compromise.
The attacker uses kubeletctl scan to discover Kubelet endpoints within the Kubernetes cluster.
The attacker leverages kubeletctl pods or kubeletctl runningpods to enumerate running pods and their details.
The attacker uses the discovered pod information to identify potential targets for lateral movement.
The attacker attempts to use kubeletctl exec or kubeletctl attach to gain access to other pods within the cluster.
The attacker attempts to port forward using kubeletctl portForward to establish connections to services running in other pods.
Upon successful lateral movement, the attacker performs further reconnaissance or deploys malicious payloads to achieve their objectives, such as data exfiltration or denial-of-service.

Impact

Successful execution of kubeletctl within a container can lead to the exposure of sensitive information about the Kubernetes cluster, including pod details and internal network configurations. This can enable attackers to move laterally within the cluster, potentially compromising other applications and data. The impact could range from data breaches and service disruptions to full cluster compromise depending on the attacker’s objectives and the scope of the compromised container’s access.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the execution of kubeletctl within containers based on process name and arguments.
Monitor container network activity for connections to node addresses on Kubelet ports (commonly 10250/10255) and investigate any suspicious patterns.
Implement network policies to restrict pod-to-node access to the Kubelet API.
Harden container images by removing unnecessary tools like kubeletctl and enforce least privilege principles.
Enable and review Kubernetes audit logs to identify the source of interactive sessions into containers, correlating with timestamps of kubeletctl execution.
Enforce Pod Security Standards to restrict privileged pods and limit node API exposure.

Kubeletctl — CraftedSignal Threat Feed

Potential Kubeletctl Execution on Linux Hosts

Attack Chain

Impact

Recommendation

Kubeletctl Execution Inside Container Detected

Attack Chain

Impact

Recommendation