Azure Container Instances command run
Description
AlphaSOC detected command execution in an Azure Container Instance. This action allows running commands inside containers via the Azure management plane. While useful for legitimate debugging and administration, adversaries may abuse this capability to execute malicious code or establish persistence within the container environment.
Impact
Unauthorized command execution in containers can enable attackers to run malicious code, access sensitive data, or establish persistence. Container compromise may lead to data exfiltration, lateral movement to other containers or services, or use of container resources for malicious purposes.
Severity
| Severity | Condition |
|---|---|
Low | Azure Container Instances command run |
Investigation and Remediation
Review Azure Activity logs to identify the specific container instance and command executed. Determine the principal that initiated the command and verify authorization.
If unauthorized, investigate the affected container for signs of compromise. Review container logs and network traffic for suspicious activity. Consider terminating and replacing the compromised container. Rotate credentials for the compromised Azure identity and implement RBAC policies to restrict command execution permissions.
Known False Positives
- Administrators performing legitimate debugging or maintenance
- Automated health checks or diagnostic scripts
- CI/CD pipelines executing deployment commands