Skip to content

AZT601.3 - Steal Managed Identity JsonWebToken: Logic Application JWT PUT Request#

If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.

Resource

Logic Application

Actions

  • Microsoft.Logic/workflows/write
  • Microsoft.Logic/workflows/run/action
  • Microsoft.Logic/operations/read

Detections

Logs#

Data Source Operation Name Action Log Provider
Resource Gets workflow recommend operation groups Microsoft.Logic/locations/workflows/recommendOperationGroups/action AzureActivity
Resource List Trigger Callback URL Microsoft.Logic/workflows/triggers/listCallbackUrl/action AzureActivity
Resource Add or Update Connection Microsoft.Web/connections/write AzureActivity

Queries#

Platform Query
Log Analytics AzureActivity | where OperationNameValue == 'MICROSOFT.LOGIC/WORKFLOWS/TRIGGERS/LISTCALLBACKURL/ACTION'

Azure Monitor Alert#

Deploy to Azure