Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

hello@craftedsignal.io — Fri, 10 Apr 2026 16:27:52 +0000

This detection identifies a specific attack sequence targeting Azure Arc-connected Kubernetes clusters. It focuses on the scenario where a service principal authenticates to Microsoft Entra ID and subsequently requests credentials for an Azure Arc-connected Kubernetes cluster. The listClusterUserCredential action is used to retrieve tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence is particularly concerning when the service principal authenticates externally and immediately accesses Arc cluster credentials, especially from unexpected locations or Autonomous System Numbers (ASNs). This behavior, observed in attacks like those described by IBM X-Force in 2025, can lead to attackers gaining unauthorized access to and control over Kubernetes clusters. Defenders should investigate such events, particularly when the sign-in originates from an unexpected location or ASN.

Attack Chain

Initial Compromise: An attacker gains unauthorized access to a service principal’s credentials (e.g., through credential stuffing, phishing, or exposed secrets).
Service Principal Authentication: The attacker uses the compromised service principal credentials to authenticate to Microsoft Entra ID (Azure AD) using the ServicePrincipalSignInLogs.
Credential Listing Request: Immediately following successful authentication, the attacker leverages the service principal to initiate a request to list the cluster user credentials for an Azure Arc-connected Kubernetes cluster, triggering the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION in the Activity Logs.
Credential Retrieval: The attacker retrieves the Arc cluster credentials.
Proxy Tunnel Establishment: The attacker uses the retrieved credentials to establish a proxy tunnel into the Kubernetes cluster via the Arc Cluster Connect proxy.
Kubernetes Access: With the tunnel established, the attacker can now execute kubectl commands, perform unauthorized actions within the cluster, such as creating, reading, updating, and deleting (CRUD) secrets and configmaps.
Lateral Movement & Privilege Escalation: The attacker exploits vulnerabilities or misconfigurations within the Kubernetes cluster to move laterally to other resources, escalate privileges, and gain further control.
Data Exfiltration or Ransomware Deployment: The attacker exfiltrates sensitive data from the Kubernetes cluster or deploys ransomware to encrypt critical data, impacting business operations.

Impact

Successful exploitation of this attack chain can lead to complete compromise of Azure Arc-connected Kubernetes clusters. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and potentially deploy ransomware. The IBM X-Force team has documented cases of attackers using similar techniques for hybrid escalation and persistence. This can impact organizations across all sectors utilizing Azure Arc for managing Kubernetes clusters, potentially affecting dozens or hundreds of clusters per victim organization.

Recommendation

Deploy the provided Sigma rules to your SIEM and tune for your environment to detect the sequence of service principal sign-in followed by Arc cluster credential access.
Review Azure AD Audit Logs for recent changes to service principals, focusing on new credentials, federated identities, and owner changes, based on the investigation steps outlined in the rule’s note.
Enable conditional access policies to restrict service principal authentication by location to prevent logins from unexpected regions, as suggested in the rule’s note.
Monitor Azure Activity Logs for MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION events to identify potential unauthorized access attempts.
Rotate service principal credentials regularly and revoke active sessions and tokens for the SP as outlined in the rule’s response and remediation steps.

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

hello@craftedsignal.io — Tue, 17 Mar 2026 15:06:47 +0000

This detection rule identifies a specific attack chain targeting Azure Arc-connected Kubernetes clusters. The attack begins with a service principal authenticating to Microsoft Entra ID and immediately requesting credentials for an Azure Arc-connected Kubernetes cluster. This listClusterUserCredential action retrieves tokens enabling kubectl access via the Arc Cluster Connect proxy. This behavior is indicative of adversaries using stolen service principal secrets to gain unauthorized access and establish a proxy tunnel into Kubernetes environments. The rule prioritizes external service principal authentications (excluding managed identities) followed by Arc cluster credential access, particularly when sign-in origins are from unexpected locations or Autonomous System Numbers (ASNs). This activity was observed in attacks documented by IBM X-Force and Microsoft, as referenced below.

Attack Chain

The attacker compromises or obtains valid credentials for an Azure Service Principal.
The attacker authenticates to Microsoft Entra ID using the compromised service principal credentials, generating a ServicePrincipalSignInLogs event in Azure.
The attacker attempts to list cluster user credentials for a connected Kubernetes cluster using the compromised service principal. This generates an Azure Activity Log event: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION.
If successful, the listClusterUserCredential action provides the attacker with tokens to access the Kubernetes cluster through the Arc Cluster Connect proxy.
The attacker uses the acquired credentials to interact with the Kubernetes cluster via kubectl proxied through Azure Arc.
The attacker performs reconnaissance within the Kubernetes cluster to identify valuable targets.
The attacker attempts to create, read, update, or delete (CRUD) sensitive Kubernetes resources, such as secrets or configmaps.
The attacker may attempt to escalate privileges within the cluster or pivot to other resources within the Azure environment.

Impact

Compromise of service principal credentials and subsequent access to Azure Arc-connected Kubernetes clusters can lead to significant data breaches, service disruption, and unauthorized resource access. Successful exploitation allows attackers to gain control over Kubernetes clusters, potentially leading to lateral movement within the environment, exfiltration of sensitive data, and deployment of malicious workloads. The number of victims and specific sectors targeted vary based on the attacker’s objectives and the compromised environment.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the described attack chain, tuning the maxspan value based on observed authentication patterns and network latency.
Investigate any alerts generated by the Sigma rule, focusing on unexpected sign-in locations or ASNs for the service principal (refer to the investigation fields in the rule definition).
Implement regular rotation of service principal credentials and enforce multi-factor authentication where possible (refer to Microsoft Entra ID documentation).
Review and restrict Azure role assignments for service principals on Arc-connected clusters to minimize potential impact from compromised credentials (refer to Azure RBAC documentation).
Enable logging for Azure sign-in logs and activity logs to ensure the data sources are available for the detection rule (refer to Azure Monitor documentation).

Azure-Arc — CraftedSignal Threat Feed

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

Attack Chain

Impact

Recommendation

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

Attack Chain

Impact

Recommendation