Azure AKS API Server Proxying Request to Kubelet

Last updated 10 days ago on 2026-07-09
Created 10 days ago on 2026-07-09

About

Detects a non-system identity using the AKS (Azure Kubernetes Service) API server nodes/proxy subresource to reach a node's Kubelet. Proxying through the API server reaches the Kubelet API to enumerate pods or run commands on nodes, a lateral-movement and privilege-escalation vector (kubeletctl, Peirates). Node, control-plane, and kube-system service account identities that routinely proxy for monitoring are excluded, so remaining matches, including compromised workload service accounts, are surfaced for review.
Tags
Domain: CloudDomain: KubernetesData Source: AzureData Source: Azure Platform LogsData Source: KubernetesUse Case: Threat DetectionTactic: Lateral MovementTactic: ExecutionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Lateral Movement (TA0008)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

False Positive Examples
Monitoring and log-collection agents that run outside kube-system (for example a metrics agent in its own namespace) proxy to the Kubelet on every scrape and will match repeatedly. Add targeted exclusions for verified monitoring service accounts and namespaces after review.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.platformlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:azure.platformlogs and event.action:"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read" and azure.platformlogs.category:"kube-audit" and azure.platformlogs.properties.log.objectRef.resource:"nodes" and azure.platformlogs.properties.log.objectRef.subresource:"proxy" and not azure.platformlogs.properties.log.user.username:( system\:node\:* or "aksService" or "hcpService" or "readinessChecker" or system\:serviceaccount\:kube-system\:* )

Install detection rules in Elastic Security

Detect Azure AKS API Server Proxying Request to Kubelet in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).