掌握Azure托管身份：攻击与防御，第2部分

来自猎人的一群网络安全专家，在享有声望的团队Axon下工作

A group of cybersecurity specialists from Hunters, operating under the prestigious Team Axon banner, have unveiled advanced threat-hunting techniques in a groundbreaking research paper titled “Mastering Azure Managed Identities: Attack & Defense, Part 2.”

在著名的Axon旗帜下运营的猎人的一群网络安全专家在一份开创性的研究论文中揭示了先进的威胁狩猎技术，标题为“掌握Azure管理的身份：Attact＆Defense，第2部分”。

This research builds upon their prior work on offensive tradecraft for exploiting misconfigured Managed Identities (MIs), covered in Part 1, to present a focused analysis of defensive tradecraft aimed at identifying and preventing the misuse of MIs.

这项研究基于他们先前在进攻性贸易克拉夫特（Discraft）进行的工作，以利用第1部分中涵盖的错误配置的托管身份（MIS），以对防御性贸易公司进行重点分析，旨在识别和防止滥用MIS。

As discussed previously, while MIs are designed to simplify credential management for Azure services, they also present a potential attack vector when misconfigured or compromised.

如前所述，尽管MIS旨在简化Azure服务的凭证管理，但在错误配置或妥协时，它们也会提出潜在的攻击向量。

This latest paper, presented at the beginning of August 2023, continues where their offensive research left off, shifting focus to equipping security teams with actionable tools to safeguard their Azure ecosystems against identity-based threats.

这篇最新的论文于2023年8月初发表，继续他们的进攻性研究停止，将重点转移到安全团队中，以保护安全团队使用可行的工具，以保护其Azure生态系统免受基于身份的威胁。

The researchers explore the complexities of identifying and tracking both System-Assigned Managed Identities (SAMIs) and User-Assigned Managed Identities (UAMIs) using multiple Azure log sources.

研究人员使用多个Azure日志源探索了识别和跟踪系统分配的托管身份（SAMIS）和用户分配的托管身份（UAMIS）的复杂性。

These include Azure Sign-In, Audit, and Activity Logs, as well as Microsoft Graph Activity Logs.

其中包括Azure登录，审核和活动日志以及Microsoft Graph Activity日志。

By meticulously mapping MIs through methods like querying Azure CLI, reviewing the Azure Portal, and analyzing log data, the paper provides a robust foundation for inventorying these non-human identities (NHIs).

通过通过查询Azure CLI，审查Azure门户并分析日志数据等方法来精心映射错误，该论文为库存这些非人类身份（NHIS）提供了强大的基础。

However, the true highlight is the development of twelve high-to-medium fidelity hunting queries crafted in Snowflake SQL.

但是，真正的亮点是开发了在Snowflake SQL制作的十二个高到中等忠诚度狩猎查询。

These queries are designed to detect suspicious behaviors such as explicit token requests from virtual machines (VMs), enumeration via Microsoft Graph, and token usage from unusual IP addresses or endpoints.

这些查询旨在检测可疑行为，例如来自虚拟机（VM）的显式令牌请求，通过Microsoft Graph枚举以及来自不寻常的IP地址或端点的令牌用法。

Importantly, these queries are service-agnostic, concentrating on behavioral anomalies rather than narrow, service-specific logs, ensuring broader applicability across Azure environments.

重要的是，这些查询是服务不可能的，专注于行为异常，而不是狭窄的，特定于服务的日志，从而确保在Azure环境中更广泛的适用性。

For instance, one query correlates MI sign-ins with host-based events to flag instances where an attacker might be attempting to request a token for a specific service from a VM.

例如，一个查询将MI签名与基于主机的事件相关联，以标记攻击者可能试图从VM请求代币的特定服务的标志实例。

Another query serves to baseline normal actions taken by an MI, aiming to identify any deviations that could indicate an attacker attempting to escalate privileges or perform lateral movement.

另一个查询是MI采取的基线正常措施，目的是确定可能表明攻击者试图升级特权或执行横向运动的偏差。

The paper also underscores the importance of incident investigation, offering detailed guidelines for tracing compromised MIs.

该论文还强调了事件调查的重要性，并提供了追踪受损的详细指南。

This includes analyzing token requests, correlating activities across log sources using unique token identifiers, and assessing the blast radius of permissions granted to the compromised MI.

这包括分析令牌请求，使用唯一的令牌标识符在跨日志源的活动以及评估授予受损MI的许可的爆炸半径。

Complementary logs from services like Azure Key Vault and Storage can be used to further investigate any unauthorized access to sensitive resources.

来自Azure密钥库和存储等服务的互补日志可用于进一步调查对敏感资源的任何未经授权的访问。

By integrating these defensive strategies, the research endeavors to address the often-overlooked risks posed by NHIs, which form a critical part of the cloud attack surface.

通过整合这些防御策略，研究努力解决了NHIS所带来的经常被忽视的风险，该风险构成了云攻击表面的关键部分。

Team Axon's contribution builds on prior work by NetSPI and other community researchers, like Karl Fossaen's DEF CON 32 talk, to push the boundaries of Azure security even further.

Axon团队的贡献是基于NetSPI和其他社区研究人员的先前工作，例如Karl Fossaen的Def Con 32 Talk，以进一步推动Azure Security的界限。

The researchers note that their efforts are powered by Hunters' AI-powered SOC platform, which aims to automate detection and response, especially relevant for smaller security teams that may not have the same breadth of resources.

研究人员指出，他们的努力由猎人的AI驱动SOC平台提供动力，该平台旨在自动化检测和响应，尤其与可能没有相同资源广度的较小安全团队有关。

Overall, this research not only sparks new ideas but also delivers practical, immediately usable tools to stay ahead of evolving identity threats in the cloud.

总体而言，这项研究不仅引发了新的想法，而且还提供了可靠的可用工具，可以保持领先于云中不断发展的身份威胁。