Mastering Azure Managed Identities: Attack & Defense, Part 2

A group of cybersecurity specialists from Hunters, working under the prestigious Team Axon

A group of cybersecurity specialists from Hunters, operating under the prestigious Team Axon banner, have unveiled advanced threat-hunting techniques in a groundbreaking research paper titled “Mastering Azure Managed Identities: Attack & Defense, Part 2.”

This research builds upon their prior work on offensive tradecraft for exploiting misconfigured Managed Identities (MIs), covered in Part 1, to present a focused analysis of defensive tradecraft aimed at identifying and preventing the misuse of MIs.

As discussed previously, while MIs are designed to simplify credential management for Azure services, they also present a potential attack vector when misconfigured or compromised.

This latest paper, presented at the beginning of August 2023, continues where their offensive research left off, shifting focus to equipping security teams with actionable tools to safeguard their Azure ecosystems against identity-based threats.

The researchers explore the complexities of identifying and tracking both System-Assigned Managed Identities (SAMIs) and User-Assigned Managed Identities (UAMIs) using multiple Azure log sources.

These include Azure Sign-In, Audit, and Activity Logs, as well as Microsoft Graph Activity Logs.

By meticulously mapping MIs through methods like querying Azure CLI, reviewing the Azure Portal, and analyzing log data, the paper provides a robust foundation for inventorying these non-human identities (NHIs).

However, the true highlight is the development of twelve high-to-medium fidelity hunting queries crafted in Snowflake SQL.

These queries are designed to detect suspicious behaviors such as explicit token requests from virtual machines (VMs), enumeration via Microsoft Graph, and token usage from unusual IP addresses or endpoints.

Importantly, these queries are service-agnostic, concentrating on behavioral anomalies rather than narrow, service-specific logs, ensuring broader applicability across Azure environments.

For instance, one query correlates MI sign-ins with host-based events to flag instances where an attacker might be attempting to request a token for a specific service from a VM.

Another query serves to baseline normal actions taken by an MI, aiming to identify any deviations that could indicate an attacker attempting to escalate privileges or perform lateral movement.

The paper also underscores the importance of incident investigation, offering detailed guidelines for tracing compromised MIs.

This includes analyzing token requests, correlating activities across log sources using unique token identifiers, and assessing the blast radius of permissions granted to the compromised MI.

Complementary logs from services like Azure Key Vault and Storage can be used to further investigate any unauthorized access to sensitive resources.

By integrating these defensive strategies, the research endeavors to address the often-overlooked risks posed by NHIs, which form a critical part of the cloud attack surface.

Team Axon's contribution builds on prior work by NetSPI and other community researchers, like Karl Fossaen's DEF CON 32 talk, to push the boundaries of Azure security even further.

The researchers note that their efforts are powered by Hunters' AI-powered SOC platform, which aims to automate detection and response, especially relevant for smaller security teams that may not have the same breadth of resources.

Overall, this research not only sparks new ideas but also delivers practical, immediately usable tools to stay ahead of evolving identity threats in the cloud.