Hunting down rogue Managed Identities

Presented at Blue Team Con 2022, Aug. 27, 2022, 2:10 p.m. (30 minutes)

Usage of Cloud managed-identities is on the rise in all cloud providers. But are they really as secure as we assume them to be?

Recently, more and more attacks have been leveraging legitimate usage of managed identities to advance the attack and pivot across multiple resources. Managed identities are the latest phase in the evolution of protecting secrets, but without being properly protected, they themselves can serve as double edged swords introducing new risks and vulnerabilities. Powered by OAuth 2.0, Cloud managed identities blur the distinction between Identity protection and Endpoint solutions leaving crucial terrain unclaimed.

OAuth 2.0 introduces an authorization layer and separates the role of the client from that of the resource owner. In this session I will dive into delegation flows and together we will understand how they are related to ghost managed identities which pop-up on a compromised network. Together, we will extract Cloud-unique aspects out of known attacks, isolating managed identities as overlooked soft spots.

We will wrap-up with several high-fidelity detections giving every blue-side attendee, practical tools to implement in their own environment.


  • Ram Pliskin - Principal Security Researcher, Microsoft
    Ram Pliskin is a Principal Security Research Manager of Microsoft’s Defender for Cloud group, which is responsible for security research and development of data analysis algorithms. Ram is a veteran of the IDF Intelligence Corps, where he led groups of security researchers. Ram holds a B.Sc. in Computer Science and multiple patents in the field of exploit mitigations and threat detection.

Similar Presentations: