Azure API calls indicating AKS credential retrieval
Description
AlphaSOC detected retrieval of Azure Kubernetes Service (AKS) cluster
credentials via
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
or
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action.
These operations download kubeconfig files that provide access to the Kubernetes
API. Threat actors who compromise Azure accounts may retrieve credentials to
pivot into Kubernetes environments.
Impact
Retrieved AKS credentials enable direct access to the Kubernetes clusters. Admin credentials grant full control over all cluster resources, allowing deployment of malicious workloads, access to secrets, and lateral movement within container environments. User credentials provide more limited but still significant access to cluster resources.
Severity
| Severity | Condition |
|---|---|
Low | AKS credential retrieval detected |
Medium | Anomalous AKS credential retrieval |
Investigation and Remediation
Review Azure Activity logs for credential retrieval actions. Identify the principal who requested the credentials and verify whether this aligns with expected operational activities. Check for subsequent suspicious Kubernetes API activity using the cluster's audit logs.
If unauthorized, immediately rotate the credentials. Review Kubernetes audit logs for any malicious activity during the exposure period.