heroui logo

Azure AKS API Server Proxying Request to Kubelet

Elastic Detection Rules

View Source
Summary
This rule detects non-system identities leveraging the Azure Kubernetes Service (AKS) API server to proxy through the nodes/proxy subresource to reach a node’s Kubelet. By tunneling via the API server, an identity can enumerate pods or execute commands on nodes, enabling lateral movement and potential privilege escalation (e.g., via kubeletctl or Peirates). The detection excludes routine monitoring identities (node/system accounts) such that remaining matches—typically workload service accounts or unusual users—are surfaced for review. It relies on AKS kube-audit events carried in azure.platformlogs with event.action Microsoft.ContainerService/managedClusters/diagnosticLogs/Read and log.subresource proxy, filtering for requests targeting nodes via the proxy. The rule maps to MITRE ATT&CK techniques T1210 (Exploitation of Remote Services) and T1609 (Container Administration Command), under Lateral Movement and Execution. A structured triage path guides analysts to verify the acting identity, examine the proxied Kubelet endpoint (distinguish between monitoring vs reconnaissance versus command execution), assess source IPs for external vs internal hops, and correlate with the target node’s workload activity and RBAC changes. It also highlights that direct Kubelet access on port 10250 bypasses kube-audit and should be treated as potential broader compromise. Remediation steps include revoking suspect tokens, reviewing RBAC permissions granting nodes/proxy, rotating credentials reachable from affected pods, and collecting kube-audit and identity artifacts per IR procedures. False positives commonly arise from monitoring and log-collection agents that proxy to the Kubelet; such cases should be mitigated with targeted exclusions after validation.
Categories
  • Cloud
  • Kubernetes
  • Containers
Data Sources
  • Application Log
ATT&CK Techniques
  • T1210
  • T1609
Created: 2026-07-09