{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-arc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Arc","Kubernetes","Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","azure-arc","credential-access","collection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious access patterns within Kubernetes clusters connected to Azure Arc. Specifically, it focuses on activity where secrets or configmaps are accessed, created, modified, or deleted, and the Kubernetes audit logs indicate the Azure Arc AAD proxy service account (\u003ccode\u003esystem:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa\u003c/code\u003e) as the user. The \u003ccode\u003eimpersonatedUser\u003c/code\u003e field contains the actual caller identity, suggesting operations are being routed through the Azure ARM API, rather than directly via \u003ccode\u003ekubectl\u003c/code\u003e.  While Azure Arc-managed workflows legitimately use this proxy, adversaries with compromised service principal credentials can exploit Arc Cluster Connect. This allows them to read, exfiltrate, or modify secrets and configmaps while masking their activity under the guise of the Arc proxy service account in K8s audit logs. The rule excludes known Arc namespaces and Helm release secrets to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an Azure AD service principal with permissions to interact with the Azure Arc-connected Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Azure using the compromised service principal credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Azure ARM API to issue commands targeting the Kubernetes cluster, specifically secrets or configmaps. This might involve using \u003ccode\u003eLISTCLUSTERUSERCREDENTIAL\u003c/code\u003e to initiate an Arc proxy session.\u003c/li\u003e\n\u003cli\u003eThe Azure Arc Cluster Connect proxy receives the request and impersonates the requesting user.\u003c/li\u003e\n\u003cli\u003eThe proxy service account (\u003ccode\u003esystem:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa\u003c/code\u003e) in the Kubernetes cluster executes the requested operation (get, list, create, update, patch, or delete) against secrets or configmaps.\u003c/li\u003e\n\u003cli\u003eKubernetes audit logs record the activity, showing the Arc proxy service account as the user and the attacker's identity in the \u003ccode\u003eimpersonatedUser\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially retrieves sensitive data from secrets (e.g., database credentials, API keys) or configmaps.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the retrieved data or uses it to further compromise the Kubernetes cluster or connected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to sensitive information stored in Kubernetes secrets and configmaps. This can lead to data breaches, lateral movement within the cluster, and further compromise of the overall cloud environment.  The impact depends on the data stored in the compromised secrets and configmaps, but it could include exposure of database credentials, API keys, or other sensitive configuration data.  Compromised credentials can then be used to access other systems and resources, expanding the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Secret or ConfigMap Access via Azure Arc Proxy\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the \u003ccode\u003ekubernetes.audit.impersonatedUser.username\u003c/code\u003e field to identify the actual caller and correlating with Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Azure AD service principals with permissions to access Azure Arc-connected Kubernetes clusters.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Sign-In Logs for suspicious authentication activity related to service principals used for Azure Arc management.\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter network segmentation to limit the blast radius of compromised service principals.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-31-azure-arc-proxy-secret-configmap-access/","summary":"Detection of unauthorized access to Kubernetes secrets or configmaps via the Azure Arc AAD proxy service account, indicating potential abuse of stolen service principal credentials to read, exfiltrate, or modify sensitive data.","title":"Kubernetes Secret or ConfigMap Access via Azure Arc Proxy","url":"https://feed.craftedsignal.io/briefs/2024-01-31-azure-arc-proxy-secret-configmap-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Arc","Azure Kubernetes"],"_cs_severities":["medium"],"_cs_tags":["azure","azure-arc","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies anomalous access patterns to Azure Arc-connected Kubernetes clusters. Specifically, it monitors the \u003ccode\u003elistClusterUserCredential\u003c/code\u003e operation, which provides credentials for the Arc Cluster Connect proxy, enabling \u003ccode\u003ekubectl\u003c/code\u003e access through the Azure ARM API. An attacker leveraging stolen credentials, such as those belonging to a service principal, may attempt to list cluster credentials from an unfamiliar IP address. The detection leverages a 7-day history to establish baseline IP-to-identity mappings, reducing false positives from legitimate sources like CI/CD pipelines with rotating IPs. This activity is particularly relevant because successful credential access can lead to unauthorized cluster access and potential data exfiltration or resource compromise. The IBM X-Force has identified potential abuse of Azure Arc for hybrid escalation and persistence. The detection logic originates from Elastic's detection rules.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a service principal or user account with privileges to manage Azure Arc-connected Kubernetes clusters.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to Azure using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker invokes the \u003ccode\u003eMICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION\u003c/code\u003e operation via the Azure API from a new or unusual source IP address.\u003c/li\u003e\n\u003cli\u003eThe operation returns credentials for the Arc Cluster Connect proxy.\u003c/li\u003e\n\u003cli\u003eAttacker uses the retrieved credentials to establish a proxy tunnel via \u003ccode\u003eaz connectedk8s proxy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker routes \u003ccode\u003ekubectl\u003c/code\u003e commands through the Azure ARM API, accessing the Kubernetes cluster without direct network connectivity.\u003c/li\u003e\n\u003cli\u003eAttacker performs reconnaissance within the Kubernetes cluster, identifying valuable resources like secrets and configmaps.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data or compromises the cluster's integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to Kubernetes clusters connected to Azure Arc. Compromised credentials can enable attackers to perform arbitrary actions within the cluster, potentially leading to data theft, service disruption, or the deployment of malicious workloads. The severity depends on the privileges associated with the compromised identity and the sensitivity of the data stored within the cluster. Lateral movement from compromised cloud resources to on-premise Kubernetes clusters is possible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Azure Arc Cluster Credential Access from Unusual Source\u0026quot; to your SIEM and tune the history window for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the caller identity (\u003ccode\u003eazure.activitylogs.identity.claims.appid\u003c/code\u003e), source IP (\u003ccode\u003esource.ip\u003c/code\u003e), and associated Azure Sign-In Logs.\u003c/li\u003e\n\u003cli\u003eIf a compromise is suspected, revoke the service principal credentials and remove Arc RBAC role assignments as detailed in the investigation guide.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for \u003ccode\u003eMICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION\u003c/code\u003e events, filtering for unexpected source IPs.\u003c/li\u003e\n\u003cli\u003eReview Kubernetes audit logs for suspicious activity following the \u003ccode\u003elistClusterUserCredential\u003c/code\u003e operation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-arc-credential-access/","summary":"Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity, potentially indicating compromised credentials.","title":"Unusual Source IP for Azure Arc Cluster Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-arc-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Arc","version":"https://jsonfeed.org/version/1.1"}