AZT301.5 - Virtual Machine Scripting: AKS Command Invoke#
By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM
Resource
Azure Kubernetes Service
Actions
- Microsoft.ContainerService/managedClusters/runcommand/action
- Microsoft.ContainerService/managedclusters/commandResults/read
Examples
Detections
Detection Details#
Logs are only generated when running a command through az cli or Az PowerShell. Using kubectl
will not generate logs.
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Resource | RunCommand | Microsoft.ContainerService/managedClusters/runCommand/action | Azure Activity Log |
## Queries
|where OperationNameValue=="Microsoft.ContainerService/managedClusters/runCommand/action"
Additional Resources