
Summary
This detection rule, named 'Kubeconfig File Discovery', focuses on identifying potential unauthorized access and manipulation of kubeconfig files in Kubernetes environments. The kubeconfig file is essential for managing Kubernetes clusters, and attackers may exploit it to gain initial access or move laterally within a cluster. The rule utilizes EQL (Event Query Language) to monitor for process executions that involve kubeconfig files, particularly those originating from common shell environments (like bash and zsh) or from world-writeable directories. The rule has a low risk score of 21 and targets Linux systems by filtering process events related to the execution of kubeconfig-related commands or access patterns. Notably, it implements a timestamp override for event ingestion and requires data to be collected via Elastic Defend integrated into the Elastic Agent. It links to MITRE ATT&CK techniques under the Discovery tactic, specifically T1613, which highlights Container and Resource Discovery.
Categories
- Endpoint
- Containers
Data Sources
- Process
ATT&CK Techniques
- T1613
Created: 2025-06-17