Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Azure
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Event
Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.
Security Context
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud calls listClusterAdminCredential on the production AKS cluster aks-occamy-prod to obtain a kubeconfig that uses the cluster-admin client certificate. This bypasses Azure RBAC for Kubernetes Authorization — the resulting kubeconfig grants full cluster-admin access regardless of Entra group membership and remains valid as long as the cluster CA hasn’t rotated. Maps to T1552, T1526, and indirectly T1078.
{ "authorization": { "action": "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud" }, "correlationId": "90000000-0000-4000-8000-000010111100", "description": "", "eventDataId": "90000000-0000-4000-8000-000010111101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T22:51:08.7172938Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod/events/90000000-0000-4000-8000-000010111101/ticks/638798288687172938", "level": "Informational", "operationId": "90000000-0000-4000-8000-000010111110", "operationName": { "value": "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", "localizedValue": "Get an AKS Managed Cluster's admin Cluster Credentials" }, "resourceGroupName": "rg-occamy-pipeline", "resourceProviderName": { "value": "Microsoft.ContainerService", "localizedValue": "Microsoft.ContainerService" }, "resourceType": { "value": "Microsoft.ContainerService/managedClusters", "localizedValue": "Microsoft.ContainerService/managedClusters" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T22:51:09.1182233Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod", "message": "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000010111111", "clientIpAddress": "203.0.113.66", "method": "POST", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod/listClusterAdminCredential?api-version=2024-02-01" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Credential Access Privilege Escalation Discovery
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
- T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...