Skip to content

AZT301.5 - Virtual Machine Scripting: AKS Command Invoke#

By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM

Resource

Azure Kubernetes Service

Actions

  • Microsoft.ContainerService/managedClusters/runcommand/action
  • Microsoft.ContainerService/managedclusters/commandResults/read

Detections

Detection Details#

Logs are only generated when running a command through az cli or Az PowerShell. Using kubectl will not generate logs.

Logs#

Data Source Operation Name Action Log Location
Resource RunCommand Microsoft.ContainerService/managedClusters/runCommand/action Azure Activity Log

## Queries

  |where OperationNameValue=="Microsoft.ContainerService/managedClusters/runCommand/action"