Azure Arc relies on a System-Assigned Managed Identity whose credentials are stored on the enrolled system, creating a risk if local administrators extract them. A MicroBurst tool (Get-AzArcCertificates) automates certificate extraction and highlights detection opportunities around run commands and Managed Identity activity. #AzureArc #ManagedIdentity #HybridCompute #EntraID
Keypoints
- Azure Arc enables integration of on-prem resources with the Azure cloud.
- The authentication model uses a System-Assigned Managed Identity with stored certificates.
- Certificate storage locations differ by OS: Windows uses a path like C:ProgramDataAzureConnectedMachineAgentCertsmyCert.cer and Linux uses /var/opt/azcmagent/certs/myCert.
- Local administrators can extract these certificates, potentially granting unauthorized access.
- A script/tool (Get-AzArcCertificates) exists to automate certificate extraction, integrated into the MicroBurst toolkit.
- Detection opportunities include monitoring run-command usage, local certificate read commands, and anomalous Managed Identity activity.
MITRE Techniques
- [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [File] Windows certificate path – C:ProgramDataAzureConnectedMachineAgentCertsmyCert.cer
- [File] Linux certificate path – /var/opt/azcmagent/certs/myCert
- [File] PFX export file – C:MicroBurst6843069d-5b5b-4618-86ac-0ccc8d6a6476.pfx
- [URL] Tool/script URL – https://github.com/NetSPI/MicroBurst/blob/master/Az/Get-AzArcCertificates.ps1
- [File] Script output/authenticate script – AuthenticateAs-6843069d-5b5b-4618-86ac-0ccc8d6a6476.ps1
- [URL] Original article URL – https://www.netspi.com/blog/technical-blog/cloud-pentesting/extracting-managed-identity-certificates-from-azure-arc-service/