# Abusing Managed Identities Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same resource group as the MI's application. The benefit (for normal users) and downside (for attackers) of MIs is that, since they eliminate the need for credential management, an attacker won't ever be able to access the used credentials. There are two types of MIs: | Type | Description | Managed | | :-------------: | :------------------------------------------------: | :----------------------------------------------------------: | | System Assigned | Created and tied to the resource | Once the tied resource is deleted, the MI is removed as well | | User Assigned | Manually created and tied to one or more resources | They are managed separately from the tied resources | If we find a MI that has the permissions to read from a Key Vault and we have access to the VM tied to it we can execute commands on the Virtual Machine and delegate the machine's permissions over the vault to the MI. ```powershell PS /home/otter> az keyvault set-policy -n --secret-permission get list --object-id ``` Now we can dump the secrets from the keyvault ```powershell PS /home/otter> az keyvault secret show --name --vault-name ``` This attack is better "experienced" first hand in order to learn how to set up Managed Identities, VMs and assign the right roles so i highly recommend checking out [this](https://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines/) blog post about `Lateral Movement with Managed Identities of Azure Virtual Machines` and this [series of posts](https://tripla.dk/2022/03/05/setting-up-an-azure-pentest-lab-part-1-anonymous-blob-access/) that covers how to set up a vulnerable lab environment and perform the attack yourself. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/aad/abusing-managed-identities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.