Azure container service provider registered
Description
AlphaSOC detected registration of the Microsoft.ContainerService resource
provider via Microsoft.ContainerService/register/action. Resource provider
registration is required before creating AKS clusters in a subscription and is
typically a one-time operation. Unexpected registration may indicate preparation
for deploying unauthorized container infrastructure, potentially for
cryptomining campaigns or command-and-control infrastructure.
Impact
Resource provider registration enables the creation of AKS clusters within the subscription. Threat actors may register the container service provider as a precursor to deploying malicious container infrastructure. This could be used for cryptomining operations leveraging cloud compute resources or establishing persistent command-and-control channels.
Severity
| Severity | Condition |
|---|---|
Low | Container service provider registered |
Investigation and Remediation
Review Azure Activity logs for the Microsoft.ContainerService/register/action
event. Identify the principal who initiated the registration and verify whether
AKS deployments are expected in this subscription. Check for subsequent cluster
creation activities.
If unauthorized, unregister the resource provider if not needed. Monitor for any AKS cluster creation attempts and block them. Rotate credentials for the compromised identity and implement Azure Policy to restrict resource provider registrations to authorized personnel.