AZT601 - Steal Managed Identity JsonWebToken#
An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.
ID | Name | Description | Action | Resources |
---|---|---|---|---|
AZT601.1 | Virtual Machine IMDS Request | By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system. | Microsoft.Compute/virtualMachines/write | Virtual Machine |
Microsoft.Compute/virtualMachines/extensions/* | ||||
AZT601.2 | Azure Kubernetes Service IMDS Request | By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system. | Microsoft.ContainerService/managedClusters/runcommand/action | Azure Kubernetes Service |
Microsoft.ContainerService/managedclusters/commandResults/read | ||||
AZT601.3 | Logic Application JWT PUT Request | If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT. | Microsoft.Logic/workflows/write | Logic Application |
Microsoft.Logic/workflows/run/action | ||||
Microsoft.Logic/operations/read | ||||
AZT601.4 | Function Application JWT GET Request | If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT. | Microsoft.Web/sites/Write | Function App |
microsoft.web/sites/functions/action | ||||
microsoft.web/sites/functions/write | ||||
AZT601.5 | Automation Account Runbook | If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT. | Microsoft.Automation/automationAccounts/runbooks/write | Automation Account |