Azure AKS Kubelet Proxy to Command Execution Endpoint

Last updated 3 days ago on 2026-07-16
Created 3 days ago on 2026-07-16

About

Detects use of the AKS (Azure Kubernetes Service) API server nodes/proxy subresource to reach a node's Kubelet command-execution endpoints (run, exec, attach, portforward, cri). Unlike benign monitoring that scrapes /metrics and /stats, a request to these endpoints executes commands inside a pod on the node, the core of the kubeletctl and Peirates lateral-movement technique. Even a GET to /exec is command execution because the Kubelet maps the WebSocket upgrade handshake to the RBAC get verb, so nodes/proxy GET is sufficient for remote code execution.
Tags
Domain: CloudDomain: KubernetesData Source: AzureData Source: Azure Platform LogsData Source: KubernetesUse Case: Threat DetectionTactic: ExecutionTactic: Lateral MovementLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

False Positive Examples
Legitimate use of the Kubelet run/exec/attach/portforward endpoints via nodes/proxy is rare. Administrative debugging tools that proxy exec through the API server may match; baseline and exclude verified operators.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.platformlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:azure.platformlogs and event.action:"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read" and azure.platformlogs.category:"kube-audit" and azure.platformlogs.properties.log.objectRef.resource:"nodes" and azure.platformlogs.properties.log.objectRef.subresource:"proxy" and azure.platformlogs.properties.log.requestURI:( */proxy/run/* or */proxy/exec* or */proxy/attach* or */proxy/portforward* or */proxy/portForward* or */proxy/cri/* ) and not azure.platformlogs.properties.log.user.username:( system\:node\:* or "aksService" or "hcpService" or "readinessChecker" )

Install detection rules in Elastic Security

Detect Azure AKS Kubelet Proxy to Command Execution Endpoint in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).