
Summary
Detects use of the AKS API server proxy to reach Kubelet command-execution endpoints (run, exec, attach, portforward, cri) through Azure AKS diagnostic logs (kube-audit). Unlike benign monitoring that accesses /metrics or /stats, hits to these proxy subresources enable executing commands inside a pod on the target node, constituting a core lateral-movement and remote-command capability. The rule relies on azure.platformlogs event.action (Microsoft.ContainerService/managedClusters/diagnosticLogs/Read) and matches on requestURI patterns for the kubelet proxy endpoints, while excluding certain legitimate operators. This setup treats any such hit as high-signal command execution regardless of identity, including compromised service accounts. MITRE mappings include Container Administration Command (T1609) and Exploitation of Remote Services (T1210). False positives are mitigated by verifying legitimate admin tooling and operator activity. Investigation steps focus on endpoint and targetpod details, source IPs, associated RBAC changes, and token access history, with remediation including token revocation, node/pod isolation, credential rotation, and RBAC review to remove unnecessary nodes/proxy privileges. Remediation guidance also notes that direct kubelet access (port 10250) bypasses the API server and warrants additional containment if observed.
Categories
- Cloud
- Kubernetes
- Azure
Data Sources
- Application Log
ATT&CK Techniques
- T1609
- T1210
Created: 2026-07-16