Researchers Detail New Threat-Hunting Methods Revealed to Detect Azure Managed Identity Abuse

Security researchers have released a comprehensive set of advanced threat-hunting methodologies aimed at detecting and mitigating abuse of Azure Managed Identities (MIs).

Building on recent discoveries and high-profile presentations such as those by NetSPI’s Karl Fossaen at DEF CON 32, this research shifts focus from exploitation techniques to proactive defensive strategies, equipping security teams with actionable techniques to uncover and investigate the misuse of MIs that underpin many enterprise cloud deployments.

Azure Managed Identities, designed to eliminate the need for hardcoded credentials by automating identity assignment across services, have become a double-edged sword.

While they streamline secure resource access, MIs can also expand the attack surface if not closely monitored.

The potential for lateral movement, privilege escalation, and unauthorized access via compromised MIs requires organizations to adopt robust, behavior-centric detection mechanisms, as traditional static monitoring and network-based controls are often insufficient.

The research emphasizes three core facets for detecting MI abuse: accurately mapping all MIs (including system-assigned and user-assigned variants), leveraging native Azure monitoring and log sources, and developing modular, service-agnostic hunting queries to reveal suspicious, cross-service actions.

Identification of Managed Identities

Effective threat hunting begins with an up-to-date inventory of all Azure MIs. Researchers outline multi-pronged approaches for identification:

• Azure Portal Inspection: While user-assigned MIs (UAMIs) are easily listed, system-assigned MIs (SAMIs) require inspection of individual resources.
• CLI-Based Enumeration: Azure CLI and PowerShell scripts can enumerate and categorize MIs across subscriptions with high granularity.
• Log Forensics: For scenarios lacking direct portal or CLI access, or in the event of identity deletion, Azure Sign-In, Audit, and Activity logs become crucial. Custom SQL and Snowflake queries parse creation events, token usage, and operational baselines, supporting deep historical investigations.

Hunting Queries Detect Advanced Attack

A central innovation of the researchers’ approach is the development of a suite of behavioral hunting queries that pivot around multi-source log analysis.

These queries, written in SQL and adaptable to native Azure Kusto Query Language (KQL), focus on detecting service-agnostic anomalies such as:

• Explicit token requests from virtual machines with attached SAMIs, correlating Azure sign-ins with host-based process events for signs of hands-on-keyboard attacks.
• Unusual token usage patterns-including the same access token used from multiple IP addresses (suggesting token theft or replay attacks).
• Managed identities being leveraged from non-Azure or anomalous resources, signaling possible lateral movement or privilege escalation.
• The assignment and usage of highly privileged Graph API roles not typical for the majority of MIs, which may indicate compromise.
• Rapid, anomalous requests by a single MI for multiple token types (ARM, Key Vault, Storage), a hallmark of adversarial reconnaissance and privilege enumeration.

The new methodologies extend beyond detection to provide incident responders with a playbook for scoping and remediation. Upon detection, security teams are advised to:

1. Assess the compromised MI’s type and permissions to estimate the blast radius.
2. Correlate token requests (via Azure Sign-In logs) with subsequent activities (in Audit and Activity logs) using unique token identifiers.
3. Identify deviations from historical MI usage baselines, particularly access to sensitive resources or new services.
4. Expand the investigation to associated user accounts, resource modifications, and lateral movement indicators, leveraging both core and service-specific logs (e.g., Key Vault, Storage, Automation Account).

This research marks a significant step forward in cloud defense, advocating for behavior-based analytics, cross-log correlation, and real-time anomaly detection as foundational elements for modern Azure security.

By adopting these detailed methodologies, organizations can dramatically improve their ability to uncover, investigate, and contain managed identity abuse before it leads to substantial compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates