By Alon Klayman & Eliraz Levi, Team Axon
Azure Managed Identities (MIs)—a key component of Azure's Non-Human Identities (NHIs)—simplify credential management and significantly enhance security for developers. Yet, as adoption accelerates, threat actors increasingly target MIs for exploitation.
Building on our previous research outlining potential attack vectors against MIs, this new research focuses exclusively on defensive strategies. Understanding and effectively responding to the exploitation of Azure Managed Identities is now a critical component of modern cloud defense.
Our latest research provides actionable threat-hunting techniques and detailed detection methodologies specifically designed to uncover compromised Managed Identities within Azure environments. Through clear, practical guidance, security teams can proactively identify anomalous behaviors indicative of MI abuse, including:
- Explicit token requests via Instance Metadata Service (IMDS).
- Abnormal enumeration activities using Microsoft Graph.
- Suspicious MI activities originating from non-Azure IP addresses.
- Detection of unusual permission usage and atypical access patterns.
This research equips defenders with ready-to-use detection queries, incident investigation strategies, and comprehensive response workflows. By enhancing visibility into Managed Identity behaviors, organizations can swiftly identify breaches, mitigate threats, and minimize potential impacts.
Notably, this research has been recognized by MITRE ATT&CK, with contributions accepted into techniques T1078.004 and T1528.
Stay ahead of threats targeting Azure Managed Identities. Strengthen your organization's defense by implementing these proactive detection and response strategies.
To stay updated on threat-hunting research, activities, and queries, follow Team Axon’s X/Twitter account (@team__axon).
