Keypoints
- User-Assigned Managed Identities (UAMI) are subscription-level identities that can be attached to multiple resources and carry their role assignments.
- An attacker with write permissions can assign a UAMI to a resource they control and leverage its permissions for privilege escalation.
- Azure Deployment Scripts create container instances and storage resources that can have a UAMI attached, enabling token generation or execution as that identity from inside the container.
- NetSPI published Invoke-AzUADeploymentScript, a PowerShell function that automates enumerating UAMIs, generating a malicious Deployment Script ARM template, deploying it, extracting tokens/output, and cleaning up.
- The tool can produce tokens, run Az PowerShell/Az CLI commands in the container (e.g., to create RBAC assignments or dump Key Vault/Storage secrets), and supports specifying resource group/subscription and token scopes.
- Defenders can detect abuse by monitoring deployment and deploymentScript operations (validate/write/delete), storage account creation/listKeys, and container group creation.
MITRE Techniques
- [T1078] Valid Accounts – Using User-Assigned Managed Identities to obtain valid tokens and act as that identity (‘The Managed Identity can be used (via Az PowerShell or AZ CLI) to take actions in the Deployment Scripts container’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Executing Az PowerShell commands inside the Deployment Scripts container to enumerate resources or perform actions (‘Invoke-AzUADeploymentScript -Verbose -Command “Get-AzResource | ConvertTo-Json”’).
- [T1578] Modify Cloud Compute Infrastructure – Creating Deployment Script resources, Container Instances, and supporting storage accounts to enable execution and token retrieval (‘Deployment Scripts service allows users to run code in a containerized Azure environment’ and creates Container Instances and ‘*azscripts’ Storage Account’).
- [T1070] Indicator Removal on Host – Cleaning up deployments and deployment scripts to remove evidence after retrieving tokens or outputs (‘Remove the Deployment Script and Resource Group Deployment’ and ‘the function does clean up after itself’).
- [T1210] Exploitation of Remote Services / Resource Hijacking – Attaching an over-permissioned UAMI to an attacker-controlled resource to escalate privileges and access sensitive resources (‘An attacker … can assign these identities to resources that they control, and can get access to the permissions of the identity.’)
Indicators of Compromise
- [Operation Names] suspicious deployment and script operations – Microsoft.Resources/deployments/validate/action, Microsoft.Resources/deployments/write, Microsoft.Resources/deploymentScripts/write, Microsoft.Resources/deploymentScripts/delete
- [Operation Names] suspicious storage/container operations – Microsoft.Storage/storageAccounts/write, Microsoft.Storage/storageAccounts/listKeys/action, Microsoft.ContainerInstance/containerGroups/write
- [Domains / URLs] tool and example scripts – https://github.com/NetSPI/MicroBurst/blob/master/Az/Invoke-AzUADeploymentScript.ps1, https://example.com/DeploymentExec.ps1 (example in article)
- [File/Resource Names] deployment and storage artifacts – DeploymentExec.ps1, ‘*azscripts’ storage account (storage account prefix used by Deployment Scripts)
- [Identifiers] example Subscription ID placeholder – 00000000-0000-0000-0000-000000000000 (used in example deployment commands)
Rewrite the entire article focusing only on the key points related to the technical procedure. Exclude unrelated or non-technical information. Present the rewritten version in a maximum of three well-structured paragraphs that improve clarity, flow, and reader engagement. Use fresh, natural wording and vary the sentence structure so it differs from the original, while preserving all essential technical details and the original meaning.
To escalate via a User-Assigned Managed Identity (UAMI) using Azure Deployment Scripts, enumerate UAMIs and their visible role assignments to find over-permissioned identities. A convenient one-liner is: Get-AzUserAssignedIdentity | ForEach-Object { Get-AzRoleAssignment -ObjectId $_.PrincipalId }; note this only returns role assignments your current account can read and UAMIs may have roles in subscriptions or management groups you can’t view.
Once a target UAMI is identified, the attack flow automates: generate an ARM template for a Deployment Script that attaches the chosen UAMI, deploy the script (which creates a container instance and an ‘*azscripts’ storage account), run commands inside the container or request tokens for the identity (via Az PowerShell or Az CLI), capture the output (tokens or command results), and then remove the Deployment Script and deployment to clean up. NetSPI’s Invoke-AzUADeploymentScript.ps1 implements these steps and offers parameters to choose deployment ResourceGroup, DeploymentSubscriptionID, and TokenScope, plus a -Command flag to run specific PowerShell commands (or load them remotely via IEX) and return string-formatted output.
Because the container runs as the attached UAMI, operators can use generated tokens or run Az commands to perform actions such as executing commands on VMs, creating RBAC role assignments, or dumping Key Vault and storage secrets—providing a path to privilege escalation when the UAMI holds powerful roles. Monitor for the sequence of deployment and deploymentScript operations, storage account creation/keys access, and container group writes as high-fidelity indicators of this abuse.