Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

This detection rule identifies a specific attack chain targeting Azure Arc-connected Kubernetes clusters. The attack begins with a service principal authenticating to Microsoft Entra ID and immediately requesting credentials for an Azure Arc-connected Kubernetes cluster. This listClusterUserCredential action retrieves tokens enabling kubectl access via the Arc Cluster Connect proxy. This behavior is indicative of adversaries using stolen service principal secrets to gain unauthorized access and establish a proxy tunnel into Kubernetes environments. The rule prioritizes external service principal authentications (excluding managed identities) followed by Arc cluster credential access, particularly when sign-in origins are from unexpected locations or Autonomous System Numbers (ASNs). This activity was observed in attacks documented by IBM X-Force and Microsoft, as referenced below.

Attack Chain

1. The attacker compromises or obtains valid credentials for an Azure Service Principal.
2. The attacker authenticates to Microsoft Entra ID using the compromised service principal credentials, generating a ServicePrincipalSignInLogs event in Azure.
3. The attacker attempts to list cluster user credentials for a connected Kubernetes cluster using the compromised service principal. This generates an Azure Activity Log event: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION.
4. If successful, the listClusterUserCredential action provides the attacker with tokens to access the Kubernetes cluster through the Arc Cluster Connect proxy.
5. The attacker uses the acquired credentials to interact with the Kubernetes cluster via kubectl proxied through Azure Arc.
6. The attacker performs reconnaissance within the Kubernetes cluster to identify valuable targets.
7. The attacker attempts to create, read, update, or delete (CRUD) sensitive Kubernetes resources, such as secrets or configmaps.
8. The attacker may attempt to escalate privileges within the cluster or pivot to other resources within the Azure environment.

Impact

Compromise of service principal credentials and subsequent access to Azure Arc-connected Kubernetes clusters can lead to significant data breaches, service disruption, and unauthorized resource access. Successful exploitation allows attackers to gain control over Kubernetes clusters, potentially leading to lateral movement within the environment, exfiltration of sensitive data, and deployment of malicious workloads. The number of victims and specific sectors targeted vary based on the attacker’s objectives and the compromised environment.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect the described attack chain, tuning the maxspan value based on observed authentication patterns and network latency.
• Investigate any alerts generated by the Sigma rule, focusing on unexpected sign-in locations or ASNs for the service principal (refer to the investigation fields in the rule definition).
• Implement regular rotation of service principal credentials and enforce multi-factor authentication where possible (refer to Microsoft Entra ID documentation).
• Review and restrict Azure role assignments for service principals on Arc-connected clusters to minimize potential impact from compromised credentials (refer to Azure RBAC documentation).
• Enable logging for Azure sign-in logs and activity logs to ensure the data sources are available for the detection rule (refer to Azure Monitor documentation).