Kubernetes Pod Exec with Curl or Wget to HTTPS
editKubernetes Pod Exec with Curl or Wget to HTTPS
editDetects pod or attach exec API calls where the decoded request query implies curl or wget fetching an https URL. Attackers with permission to exec into workloads often run one-liners to stage tooling, pull scripts or binaries, or exfiltrate data over HTTPS—activity that should be rare compared to shells, debuggers, or expected health checks. The rule decodes the audit requestURI, reconstructs a readable command string from repeated command parameters, and applies noise filters for common cluster health and OIDC/JWKS endpoints so benign automation is less likely to alert.
Rule type: esql
Rule indices: None
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Kubernetes
- Domain: Kubernetes
- Use Case: Threat Detection
- Tactic: Execution
- Tactic: Command and Control
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Kubernetes Pod Exec with Curl or Wget to HTTPS
Kubernetes audit logs record exec (and similar attach) calls on requestURI, including URL-encoded command segments. This rule URL-decodes the URI, extracts the query portion into a single string, and flags curl or wget combined with https, excluding several ommon health, localhost, and OIDC/JWKS patterns.
Possible investigation steps
- Confirm who may exec into the target namespace: review kubernetes.audit.user.username, groups, impersonation, and source.ip / user_agent.original (kubectl, CI, webhooks).
- Map the pod (kubernetes.audit.objectRef.name) and workload owner; retrieve the exact decoded URI from Esql.decoded_uri and the reconstructed Esql.command in the alert.
- Search for adjacent audit events from the same identity: secret reads, additional execs, RBAC changes, or anonymous access.
-
If malicious, revoke credentials used for exec, review RoleBindings for
pods/exec, and inspect the pod filesystem or snapshot for dropped artifacts.
False positive analysis
- Approved runbooks or support sessions may use kubectl exec with curl/wget to test egress or download vendor tools; document break-glass identities and tune exclusions.
- Some cluster components use HTTPS to kubernetes.default.svc or .well-known endpoints; the rule attempts to filter those—expand the exclusion list if your platform uses additional first-party URLs.
Response and remediation
-
Rotate any secrets accessible from the pod, cordon or delete the workload if compromised, and tighten RBAC so only
required principals retain
pods/execon sensitive namespaces.
Rule query
editFROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
| WHERE kubernetes.audit.objectRef.subresource == "exec"
AND kubernetes.audit.requestURI LIKE "*command=*"
| EVAL decoded_uri = URL_DECODE(kubernetes.audit.requestURI)
| GROK decoded_uri "%{DATA}/exec\\?%{DATA:raw_commands}&(?:container|stdin|stdout|stderr)=%{GREEDYDATA}"
| EVAL command = REPLACE(raw_commands, "command=", "")
| EVAL command = REPLACE(command, "&", " ")
| EVAL Esql.executed_command = REPLACE(command, "\\+", " ")
| WHERE Esql.executed_command IS NOT NULL
AND Esql.executed_command RLIKE """.*(curl.*https|wget.*https).*"""
AND NOT Esql.executed_command RLIKE """.*(/api/v1/health|/healthz|/readyz|/livez|127\.0\.0\.1|localhost|/openid/v1/jwks|/openid-connect/certs|/.well-known/openid-configuration|/.well-known/jwks\.json|kubernetes\.default\.svc).*"""
| KEEP *
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Container Administration Command
- ID: T1609
- Reference URL: https://attack.mitre.org/techniques/T1609/
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/