[New] Kubernetes Static Pod Manifest File Access

rules/integrations/cloud_defend/persistence_kubernetes_static_pod_manifest_file_creation.toml

@@ -0,0 +1,113 @@
+[metadata]
+creation_date = "2026/05/06"
+integration = ["cloud_defend"]
+maturity = "production"
+min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
+min_stack_version = "9.3.0"
+updated_date = "2026/05/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects creation of YAML files under /etc/kubernetes/manifests on hosts monitored by Elastic Defend for Containers.
+The kubelet watches this directory for static pod manifests, a newly dropped manifest can schedule privileged workloads,
+maintain persistence across kubelet restarts, or tamper with control plane components on affected nodes. Unexpected
+creations should be reviewed alongside process ancestry and cluster context.
+"""
+false_positives = [
+    """
+    Bootstrap tooling (for example kubeadm), configuration management, or approved cluster upgrades may create manifests in
+    this path during planned maintenance. Baseline expected automation identities and tune with process or user exclusions if
+    needed.
+    """,
+]
+from = "now-6m"
+index = ["logs-cloud_defend.file*"]
+interval = "5m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Static Pod Manifest File Creation"
+note = """## Triage and analysis
+
+### Investigating Kubernetes Static Pod Manifest File Creation
+
+Identify the created file.path and timestamp. Map the actor process (process.name, process.args, process.parent), container
+or host context (container.id, orchestrator fields), and whether the session was interactive.
+
+### Possible investigation steps
+
+- Determine whether the node is a control plane or worker and whether manifest creation matches a change window.
+- Compare the manifest content (if captured) to prior versions for added privileged pods, hostPath mounts, or suspicious
+  images.
+- Correlate with Kubernetes audit and node logs for kubelet errors, unauthorized SSH or agent activity, or lateral movement.
+- Review broader file and process telemetry from the same host around the event.
+
+### Response and remediation
+
+- If malicious, remove the unauthorized manifest, isolate the node per incident policy, and rebuild or restore from a
+  trusted image.
+- Rotate credentials and review RBAC for principals that could reach the host filesystem or kubelet.
+
+### Additional information
+
+- [Kubernetes static pods](https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/)
+"""
+references = [
+    "https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/",
+    "https://attack.mitre.org/techniques/T1053/007/",
+]
+risk_score = 47
+rule_id = "cd2686a5-73c5-4a82-ae80-61ef06d65dcc"
+severity = "medium"
+tags = [
+    "Data Source: Elastic Defend for Containers",
+    "Domain: Container",
+    "Domain: Kubernetes",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+event.category:"file" and event.action:"creation" and file.extension:(yaml or yml) and file.path:/etc/kubernetes/manifests/* and 
+not file.name : (etcd.yaml or kube-apiserver.yaml or kube-scheduler.yaml or kube-controller-manager.yaml or etcd.yml or kube-apiserver.yml or kube-scheduler.yml or kube-controller-manager.yml)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1053"
+name = "Scheduled Task/Job"
+reference = "https://attack.mitre.org/techniques/T1053/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1053.007"
+name = "Container Orchestration Job"
+reference = "https://attack.mitre.org/techniques/T1053/007/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1543.005"
+name = "Container Service"
+reference = "https://attack.mitre.org/techniques/T1543/005/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"

rules/linux/persistence_kubernetes_static_pod_manifest_path_process_execution.toml

@@ -0,0 +1,131 @@
+[metadata]
+creation_date = "2026/05/06"
+integration = ["endpoint", "auditd_manager"]
+maturity = "production"
+updated_date = "2026/05/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects Linux process executions where shells, editors, interpreters, or file/stream utilities reference
+/etc/kubernetes/manifests in process arguments. That directory holds static pod manifests read by the kubelet;
+interaction via editors, downloaders, kubectl, redirection helpers (tee, dd), or scripting runtimes may indicate
+staging or tampering with manifests for persistence or privileged workload placement. Pairs with file-telemetry rules
+that flag direct manifest creation on container workloads.
+"""
+false_positives = [
+    """
+    Cluster provisioning (kubeadm), configuration management, or administrators editing manifests during maintenance may
+    match. Baseline approved automation and interactive admin sessions on control plane nodes.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Static Pod Manifest File Access"
+note = """## Triage and analysis
+
+### Investigating Kubernetes Static Pod Manifest File Access
+
+Review the full command line (process.args, process.command_line), user.id, user.name, process.parent, and whether the
+session was interactive. Confirm if the host is a Kubernetes node or admin jump host where manifest edits are expected.
+
+### Possible investigation steps
+
+- Compare activity to change windows and identity baselines; prioritize events without matching change tickets.
+- Inspect subsequent process and file events on the same host for writes under /etc/kubernetes/manifests or kubelet
+  restarts.
+- Correlate with Kubernetes audit logs and node/agent telemetry for related compromise indicators.
+
+### Response and remediation
+
+- If unauthorized, restore manifests from known-good sources, isolate the host, and review cluster integrity per incident
+  policy.
+"""
+references = [
+    "https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/",
+    "https://attack.mitre.org/techniques/T1053/007/",
+]
+risk_score = 47
+rule_id = "a698a653-e144-4e40-bade-35135935be45"
+setup = """## Setup
+
+Requires **Elastic Defend** and/or **Auditd Manager** process telemetry (`logs-endpoint.events.process*`,
+`logs-auditd_manager.auditd-*`, `auditbeat-*`) with command-line argument capture for exec events.
+
+### Elastic Defend
+Install the Elastic Defend integration via Fleet on Linux hosts and use a policy that collects process events with
+arguments.
+
+### Auditd Manager
+Deploy Auditd Manager and ensure execve (or equivalent process) auditing is enabled so `process.args` and
+`process.executable` populate for monitored binaries.
+
+See https://docs.elastic.co/integrations/auditd_manager
+"""
+severity = "medium"
+tags = [
+    "Data Source: Auditd Manager",
+    "Data Source: Elastic Defend",
+    "Domain: Endpoint",
+    "Domain: Kubernetes",
+    "Domain: Container",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+host.os.type:linux and event.category:process and event.action:(exec or executed) and 
+process.name:(
+  bash or sh or dash or zsh or 
+  cat or cp or mv or touch or tee or dd or
+  sed or awk or 
+  curl or wget or scp or
+  vi or vim or nano or echo or
+  busybox or
+  python* or perl* or ruby* or node or lua* or
+  openssl or base64 or xxd or
+  .*) and 
+  process.args:(*/etc/kubernetes/manifests/* and not (/etc/kubernetes/manifests/etcd* or /etc/kubernetes/manifests/kube-apiserver* or /etc/kubernetes/manifests/kube-scheduler* or /etc/kubernetes/manifests/kube-controller-manager*))
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1053"
+name = "Scheduled Task/Job"
+reference = "https://attack.mitre.org/techniques/T1053/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1053.007"
+name = "Container Orchestration Job"
+reference = "https://attack.mitre.org/techniques/T1053/007/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1543.005"
+name = "Container Service"
+reference = "https://attack.mitre.org/techniques/T1543/005/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"