掌握Azure託管身份：攻擊與防禦，第2部分

來自獵人的一群網絡安全專家，在享有聲望的團隊Axon下工作

A group of cybersecurity specialists from Hunters, operating under the prestigious Team Axon banner, have unveiled advanced threat-hunting techniques in a groundbreaking research paper titled “Mastering Azure Managed Identities: Attack & Defense, Part 2.”

在著名的Axon旗幟下運營的獵人的一群網絡安全專家在一份開創性的研究論文中揭示了先進的威脅狩獵技術，標題為“掌握Azure管理的身份：Attact＆Defense，第2部分”。

This research builds upon their prior work on offensive tradecraft for exploiting misconfigured Managed Identities (MIs), covered in Part 1, to present a focused analysis of defensive tradecraft aimed at identifying and preventing the misuse of MIs.

這項研究基於他們先前在進攻性貿易克拉夫特（Discraft）進行的工作，以利用第1部分中涵蓋的錯誤配置的託管身份（MIS），以對防禦性貿易公司進行重點分析，旨在識別和防止濫用MIS。

As discussed previously, while MIs are designed to simplify credential management for Azure services, they also present a potential attack vector when misconfigured or compromised.

如前所述，儘管MIS旨在簡化Azure服務的憑證管理，但在錯誤配置或妥協時，它們也會提出潛在的攻擊向量。

This latest paper, presented at the beginning of August 2023, continues where their offensive research left off, shifting focus to equipping security teams with actionable tools to safeguard their Azure ecosystems against identity-based threats.

這篇最新的論文於2023年8月初發表，繼續他們的進攻性研究停止，將重點轉移到安全團隊中，以保護安全團隊使用可行的工具，以保護其Azure生態系統免受基於身份的威脅。

The researchers explore the complexities of identifying and tracking both System-Assigned Managed Identities (SAMIs) and User-Assigned Managed Identities (UAMIs) using multiple Azure log sources.

研究人員使用多個Azure日誌源探索了識別和跟踪系統分配的託管身份（SAMIS）和用戶分配的託管身份（UAMIS）的複雜性。

These include Azure Sign-In, Audit, and Activity Logs, as well as Microsoft Graph Activity Logs.

其中包括Azure登錄，審核和活動日誌以及Microsoft Graph Activity日誌。

By meticulously mapping MIs through methods like querying Azure CLI, reviewing the Azure Portal, and analyzing log data, the paper provides a robust foundation for inventorying these non-human identities (NHIs).

通過通過查詢Azure CLI，審查Azure門戶並分析日誌數據等方法來精心映射錯誤，該論文為庫存這些非人類身份（NHIS）提供了強大的基礎。

However, the true highlight is the development of twelve high-to-medium fidelity hunting queries crafted in Snowflake SQL.

但是，真正的亮點是開發了在Snowflake SQL製作的十二個高到中等忠誠度狩獵查詢。

These queries are designed to detect suspicious behaviors such as explicit token requests from virtual machines (VMs), enumeration via Microsoft Graph, and token usage from unusual IP addresses or endpoints.

這些查詢旨在檢測可疑行為，例如來自虛擬機（VM）的顯式令牌請求，通過Microsoft Graph枚舉以及來自不尋常的IP地址或端點的令牌用法。

Importantly, these queries are service-agnostic, concentrating on behavioral anomalies rather than narrow, service-specific logs, ensuring broader applicability across Azure environments.

重要的是，這些查詢是服務不可能的，專注於行為異常，而不是狹窄的，特定於服務的日誌，從而確保在Azure環境中更廣泛的適用性。

For instance, one query correlates MI sign-ins with host-based events to flag instances where an attacker might be attempting to request a token for a specific service from a VM.

例如，一個查詢將MI簽名與基於主機的事件相關聯，以標記攻擊者可能試圖從VM請求代幣的特定服務的標誌實例。

Another query serves to baseline normal actions taken by an MI, aiming to identify any deviations that could indicate an attacker attempting to escalate privileges or perform lateral movement.

另一個查詢是MI採取的基線正常措施，目的是確定可能表明攻擊者試圖升級特權或執行橫向運動的偏差。

The paper also underscores the importance of incident investigation, offering detailed guidelines for tracing compromised MIs.

該論文還強調了事件調查的重要性，並提供了追踪受損的詳細指南。

This includes analyzing token requests, correlating activities across log sources using unique token identifiers, and assessing the blast radius of permissions granted to the compromised MI.

這包括分析令牌請求，使用唯一的令牌標識符在跨日誌源的活動以及評估授予受損MI的許可的爆炸半徑。

Complementary logs from services like Azure Key Vault and Storage can be used to further investigate any unauthorized access to sensitive resources.

來自Azure密鑰庫和存儲等服務的互補日誌可用於進一步調查對敏感資源的任何未經授權的訪問。

By integrating these defensive strategies, the research endeavors to address the often-overlooked risks posed by NHIs, which form a critical part of the cloud attack surface.

通過整合這些防禦策略，研究努力解決了NHIS所帶來的經常被忽視的風險，該風險構成了雲攻擊表面的關鍵部分。

Team Axon's contribution builds on prior work by NetSPI and other community researchers, like Karl Fossaen's DEF CON 32 talk, to push the boundaries of Azure security even further.

Axon團隊的貢獻是基於NetSPI和其他社區研究人員的先前工作，例如Karl Fossaen的Def Con 32 Talk，以進一步推動Azure Security的界限。

The researchers note that their efforts are powered by Hunters' AI-powered SOC platform, which aims to automate detection and response, especially relevant for smaller security teams that may not have the same breadth of resources.

研究人員指出，他們的努力由獵人的AI驅動SOC平台提供動力，該平台旨在自動化檢測和響應，尤其與可能沒有相同資源廣度的較小安全團隊有關。

Overall, this research not only sparks new ideas but also delivers practical, immediately usable tools to stay ahead of evolving identity threats in the cloud.

總體而言，這項研究不僅引發了新的想法，而且還提供了可靠的可用工具，可以保持領先於雲中不斷發展的身份威脅。