Microsoft.ContainerService/managedClusters/runCommand/action
Azure
Microsoft.ContainerService/managedClusters/runCommand/action
Event
Executes a command against an AKS cluster’s Kubernetes API without requiring direct network connectivity to the API server.
Security Context
- Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud invokes runCommand on the private AKS cluster aks-occamy-prod to execute kubectl get secrets --all-namespaces -o yaml against the cluster’s API server. RunCommand provisions a temporary management pod inside the cluster that runs the supplied command with cluster-admin equivalent rights — bypassing both private-cluster network restrictions and any AKS Entra-integrated RBAC binding for Draco’s user. Maps to T1651, T1059, T1021.
{ "authorization": { "action": "Microsoft.ContainerService/managedClusters/runCommand/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud" }, "correlationId": "90000000-0000-4000-8000-000011000100", "description": "", "eventDataId": "90000000-0000-4000-8000-000011000101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T22:58:42.7382194Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod/events/90000000-0000-4000-8000-000011000101/ticks/638798293227382194", "level": "Informational", "operationId": "90000000-0000-4000-8000-000011000110", "operationName": { "value": "Microsoft.ContainerService/managedClusters/runCommand/action", "localizedValue": "Run a command against an AKS Managed Cluster" }, "resourceGroupName": "rg-occamy-pipeline", "resourceProviderName": { "value": "Microsoft.ContainerService", "localizedValue": "Microsoft.ContainerService" }, "resourceType": { "value": "Microsoft.ContainerService/managedClusters", "localizedValue": "Microsoft.ContainerService/managedClusters" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Accepted", "localizedValue": "Accepted (HTTP Status Code: 202)" }, "submissionTimestamp": "2026-04-15T22:58:43.0218732Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Accepted", "serviceRequestId": null, "requestbody": "{\"command\":\"kubectl get secrets --all-namespaces -o yaml\",\"context\":\"\",\"clusterToken\":\"\"}", "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod", "message": "Microsoft.ContainerService/managedClusters/runCommand/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000011000111", "clientIpAddress": "203.0.113.66", "method": "POST", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.ContainerService/managedClusters/aks-occamy-prod/runCommand?api-version=2024-02-01" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Execution Lateral Movement
Techniques:
- T1651 — Cloud Administration Command — Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...
- T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.