Unexpected Azure API calls indicating AKS node pool modification
Description
AlphaSOC detected modification of an Azure Kubernetes Service (AKS) node pool
via Microsoft.ContainerService/managedClusters/agentPools/write. Node pool
changes affect the compute resources running Kubernetes workloads. Threat actors
may modify node pools to deploy compromised nodes, add privileged
configurations, scale resources for cryptomining, or disrupt services by
reducing capacity.
Impact
Unauthorized node pool modifications can introduce compromised compute resources into the cluster, scale down capacity to disrupt services, or add privileged configurations that weaken security. Threat actors may abuse node pools for resource hijacking, deploying cryptomining workloads on newly provisioned GPU or high-compute nodes.
Severity
| Severity | Condition |
|---|---|
Low | Node pool modification detected |
Medium | Anomalous node pool modification |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.ContainerService/managedClusters/agentPools/write action. Identify
what changes were made to the node pool configuration. Verify whether the
modification aligns with approved change management processes.
If unauthorized, revert the node pool to its expected configuration. Review cluster audit logs for suspicious workload deployments during the modification period. Rotate credentials for the compromised identity and implement Azure Policy to restrict node pool modification permissions.
Known False Positives
- Authorized scaling operations for capacity management