This edge is created to link Azure Kubernetes Service Managed Clusters to the Virtual Machine Scale Sets they use to execute commands on.
The system-assigned identity for the AKS Cluster will have the Contributor role against the target Resource Group and its child Virtual Machine Scale Sets.
Abuse Info
You will abuse this relationship by executing a command against the AKS Managed Cluster the edge is emitting from. You can target any managed identity assignment scoped to the Virtual Machine Scale Sets under the target Resource Group.
Opsec Considerations
This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse.
References
- https://github.com/BloodHoundAD/BARK
- https://www.netspi.com/blog/technical/cloud-penetration-testing/extract-credentials-from-azure-kubernetes-service/
Updated