Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.
Attacker's Goals
Exfiltrate valid token and abuse it remotely.
Investigative actions
- Verify whether the Managed Identity should be used remotely.
- Check what API calls were executed by the Managed Identity.
- Check if the relevant compute service is compromised.
Variations
Remote usage of an Azure Managed Identity token from an unusual ASNRemote usage of an Azure Managed Identity token from an unusual IP