Researchers Unveil New Threat-Hunting Techniques to Detect Azure Managed Identity Abuse

A group of cybersecurity specialists from Hunters, working under the prestigious Team Axon, have presented sophisticated threat-hunting techniques in a ground-breaking research paper titled “Mastering Azure Managed Identities: Attack & Defense, Part 2,” with the goal of identifying and preventing the misuse of Azure Managed Identities(MIs).”

As cloud environments continue to expand, MIs-designed to simplify credential management for Azure services-have become a double-edged sword, offering both enhanced security and a potential attack vector when misconfigured or compromised.

This latest research shifts focus from offensive exploitation, covered in Part 1, to proactive defense, equipping security teams with actionable tools to safeguard their Azure ecosystems against identity-based threats.

Counter Cloud Identity Threats

The researchers delve into the complexities of identifying and monitoring both System-Assigned Managed Identities (SAMIs) and User-Assigned Managed Identities (UAMIs) using multiple Azure log sources, including Azure Sign-In, Audit, and Activity Logs, as well as Microsoft Graph Activity Logs.

By meticulously mapping MIs through methods like querying Azure CLI, reviewing the Azure Portal, and analyzing log data, the paper provides a robust foundation for inventorying these non-human identities (NHIs).

What stands out is the development of twelve high-to-medium fidelity hunting queries crafted in Snowflake SQL, designed to detect suspicious behaviors such as explicit token requests from virtual machines (VMs), enumeration via Microsoft Graph, and token usage from unusual IP addresses or endpoints.

These queries are service-agnostic, focusing on behavioral anomalies rather than narrow, service-specific logs, ensuring broader applicability across Azure environments.

For instance, one query correlates MI sign-ins with host-based events to flag explicit token requests via tools like PowerShell, while another baselines normal MI actions to detect deviations, potentially indicating privilege escalation or lateral movement.

Detection Across Azure Log Sources

The paper also emphasizes the importance of incident investigation, offering detailed guidelines for tracing compromised MIs by analyzing token requests, correlating activities across log sources using unique token identifiers, and assessing the blast radius of permissions.

Complementary logs from services like Azure Key Vault and Storage further enrich investigations, revealing unauthorized access to sensitive resources.

By integrating these defensive strategies, the research addresses the often-overlooked risks of NHIs, which form a critical part of the cloud attack surface.

Team Axon’s contribution builds on prior work by NetSPI and other community researchers, such as Karl Fossaen’s DEF CON 32 talk, to push the boundaries of Azure security.

According to the Report, Hunters’ AI-powered SOC platform underpins these efforts, automating detection and response to empower smaller security teams.

This research not only sparks new ideas but also delivers practical, immediately usable tools to stay ahead of evolving identity threats in the cloud, reinforcing the need for vigilant monitoring and robust defense mechanisms in modern cybersecurity landscapes.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!