Skip to content

AZT601.1 - Steal Managed Identity JsonWebToken: Virtual Machine IMDS Request#

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.


Virtual Machine


  • Microsoft.Compute/virtualMachines/write
  • Microsoft.Compute/virtualMachines/extensions/*


The detection will be based off of the Command Execution technique chosen. If using RDP, then no logs will be generated in Azure. Since the command to retrieve the JWT requires local PowerShell execution, script block logging will reveal the request used to gather the token.


Platform Query
Log Analytics union Event, Syslog | where EventID == 4104 and RenderedDescription has '' or SyslogMessage has ''

Azure Monitor Alert#

Deploy to Azure