Skip to content

AZT601.1 - Steal Managed Identity JsonWebToken: Virtual Machine IMDS Request#

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.


Virtual Machine


  • Microsoft.Compute/virtualMachines/write
  • Microsoft.Compute/virtualMachines/extensions/*


The detection will be based off of the Command Execution technique chosen. If using RDP, then no logs will be generated in Azure. Since the command to retrieve the JWT requires local PowerShell execution, script block logging will reveal the request used to gather the token.