Azure AKS run command executed
Description
AlphaSOC detected use of the Azure AKS Run Command feature via
Microsoft.ContainerService/managedClusters/runCommand/action. Run Command
allows executing arbitrary commands directly on cluster nodes through the Azure
control plane, bypassing Kubernetes RBAC entirely. Commands execute with root
privileges on the underlying node, outside of any container security context.
Impact
Run Command execution enables threat actors to deploy malware, exfiltrate data, or modify cluster configurations. Adversaries also can use this for lateral movement within Kubernetes infrastructure.
Severity
| Severity | Condition |
|---|---|
Medium | AKS Run Command executed |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.ContainerService/managedClusters/runCommand/action event. Identify
the specific command executed, the target cluster, and the principal who
initiated the action. Verify whether this was an authorized administrative
operation.
If unauthorized, investigate the affected cluster nodes for signs of compromise including unauthorized processes, new user accounts, or configuration changes. Review cluster audit logs for related suspicious activities. Rotate credentials for the compromised identity.