Cybersecurity specialists have unveiled refined methods to determine potential abuse of Azure Managed Identities (MIs), addressing a important however typically missed safety concern in cloud environments.
Azure MIs streamline credential administration by eliminating the necessity for guide secret dealing with, but this comfort creates new assault vectors that refined menace actors can exploit to escalate privileges and entry delicate assets.
The methods, documented in a complete analysis paper by Crew Axon, concentrate on figuring out unauthorized entry and malicious use of MIs slightly than simply detecting their existence.
As these identities are more and more applied throughout Azure companies, they current an increasing assault floor which will enable adversaries to pivot throughout environments, achieve unauthorized entry to Microsoft Graph, and extract delicate information from varied Azure assets.
Hunters researchers famous that whereas MIs supply important safety benefits by eliminating static credentials, their potential misuse could be significantly damaging since they function with the implicit belief of Azure’s authentication framework.
The analysis builds upon earlier work, significantly Karl Fossaen’s DEF CON 32 discuss titled “Identification Theft is Not a Joke, Azure!” which initially raised consciousness round MI abuse vectors.
The threat-hunting method detailed within the paper introduces twelve specialised detection queries, every focusing on totally different elements of potential MI abuse.
These queries vary from high-fidelity detections, equivalent to figuring out specific token requests from digital machines, to broader behavioral analyses that flag when MIs entry uncommon assets or exhibit anomalous authentication patterns.
One of the important methods introduced focuses on detecting Microsoft Graph enumeration actions utilizing compromised MIs.
Detection Methodology
This high-fidelity detection technique identifies when a managed id makes anomalously excessive numbers of requests to Microsoft Graph API endpoints – conduct according to reconnaissance exercise by menace actors who’ve gained unauthorized entry to MI tokens.
The corresponding detection question, applied in Snowflake SQL, creates a typical desk expression that identifies suspicious patterns of Graph API entry:-
WITH graph_enum_activity AS (
SELECT MIN(time) AS min_event_time,
MAX(time) AS max_event_time,
user_principal_object_id,
ARRAY_AGG(DISTINCT request_uri) AS distinct_request_uris,
COUNT(*) AS amount_of_requests
FROM RAW.MICROSOFT_GRAPH_ACTIVITY_LOGS
WHERE request_method = ‘GET’
GROUP BY user_principal_object_id, hour_of_events
HAVING amount_of_requests > 60
AND amount_of_endpoint_base > 5
AND amount_of_request_uris > 30
)
The question establishes behavioral thresholds by analyzing request patterns, flagging instances the place managed identities make suspicious numbers of distinct calls to the Graph API inside a brief timeframe.
This detection method proves significantly efficient as a result of legit MIs sometimes show predictable, restricted request patterns to Graph assets, making anomalous enumeration makes an attempt stand out.
Past detection, the analysis additionally particulars sensible steerage for incident investigation and response, together with cross-correlation methods between Azure Signal-in logs, Exercise logs, and Microsoft Graph telemetry to hint the total scope of potential compromises.
By offering these detection methodologies, safety groups achieve very important capabilities to determine potential compromises earlier than attackers can totally exploit their entry to cloud environments and delicate assets.
How SOC Groups Save Time and Effort with ANY.RUN – Dwell webinar for SOC groups and managers
