AZT301.5 - Virtual Machine Scripting: AKS Command Invoke

By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM

Resource

Azure Kubernetes Service

Actions

• Microsoft.ContainerService/managedClusters/runcommand/action
• Microsoft.ContainerService/managedclusters/commandResults/read

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Invoke-AzAksRunCommand

az aks command invoke

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}/runCommand?api-version=2022-04-01

Detections

Detection Details

Logs are only generated when running a command through az cli or Az PowerShell. Using kubectl will not generate logs.

Logs

Data Source	Operation Name	Action	Log Provider
Resource	RunCommand	Microsoft.ContainerService/managedClusters/runCommand/action	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity | where OperationNameValue == 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/RUNCOMMAND/ACTION'

Azure Monitor Alert

Additional Resources

https://docs.microsoft.com/en-us/azure/aks/command-invoke