Skip to content

Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action

Azure

Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action

service: Azure - Container Service
techniques:

Event

Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.

Security Context

  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Enumerating cloud resources helps adversaries map the environment to identify high-value targets, security controls, and potential pivot points.
  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud calls listClusterAdminCredential on the production AKS cluster aks-occamy-prod to obtain a kubeconfig that uses the cluster-admin client certificate. This bypasses Azure RBAC for Kubernetes Authorization — the resulting kubeconfig grants full cluster-admin access regardless of Entra group membership and remains valid as long as the cluster CA hasn’t rotated. Maps to T1552, T1526, and indirectly T1078.

{
"authorization": {
"action": "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000010111100",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000010111101",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T22:51:08.7172938Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod/events/90000000-0000-4000-8000-000010111101/ticks/638798288687172938",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000010111110",
"operationName": {
"value": "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"localizedValue": "Get an AKS Managed Cluster's admin Cluster Credentials"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.ContainerService",
"localizedValue": "Microsoft.ContainerService"
},
"resourceType": {
"value": "Microsoft.ContainerService/managedClusters",
"localizedValue": "Microsoft.ContainerService/managedClusters"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T22:51:09.1182233Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod",
"message": "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000010111111",
"clientIpAddress": "203.0.113.66",
"method": "POST",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod/listClusterAdminCredential?api-version=2024-02-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Credential Access Privilege Escalation Discovery

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1526 — Cloud Service Discovery — An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can...