Azure AKS credential enumeration
Description
AlphaSOC detected excessive AKS cluster credential retrieval across multiple
clusters within a short time window. This detection triggers when credentials
are retrieved from many distinct clusters within short timeframes via
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
or
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action.
This pattern may indicate automated enumeration, reconnaissance, or credential
harvesting activities by a threat actor.
Impact
Credential enumeration across multiple clusters suggests a threat actor is systematically gathering access to Kubernetes environments. This could enable widespread compromise across the organization's container infrastructure, allowing data exfiltration, deployment of malicious workloads, or disruption of services across multiple clusters simultaneously.
Severity
| Severity | Condition |
|---|---|
Medium | Credentials retrieved from many clusters within a short timeframe |
Investigation and Remediation
Review Azure Activity logs to identify all clusters targeted by the credential retrieval activity. Examine the principal responsible and determine whether this access pattern is consistent with their role. Legitimate operations rarely require accessing multiple cluster credentials in rapid succession.
If unauthorized, rotate credentials for all affected clusters immediately. Review Kubernetes audit logs across all targeted clusters for signs of compromise. Rotate the compromised Azure identity credentials and implement stricter RBAC controls limiting which principals can retrieve cluster credentials.