Abusing Managed Identities

Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same resource group as the MI's application.

The benefit (for normal users) and downside (for attackers) of MIs is that, since they eliminate the need for credential management, an attacker won't ever be able to access the used credentials.

There are two types of MIs:

Type	Description	Managed
System Assigned	Created and tied to the resource	Once the tied resource is deleted, the MI is removed as well
User Assigned	Manually created and tied to one or more resources	They are managed separately from the tied resources

If we find a MI that has the permissions to read from a Key Vault and we have access to the VM tied to it we can execute commands on the Virtual Machine and delegate the machine's permissions over the vault to the MI.

PS /home/otter> az keyvault set-policy -n <vault_name> --secret-permission get list --object-id <managed_identity_id>

Now we can dump the secrets from the keyvault

PS /home/otter> az keyvault secret show --name <secret_name> --vault-name <vault_name>

This attack is better "experienced" first hand in order to learn how to set up Managed Identities, VMs and assign the right roles so i highly recommend checking out this blog post about Lateral Movement with Managed Identities of Azure Virtual Machines and this series of posts that covers how to set up a vulnerable lab environment and perform the attack yourself.