modules/Devolutions.CIEM.Graph/Data/attack_paths/internet-exposed-privileged-mi.json
|
{ "id": "internet-exposed-privileged-mi", "name": "Internet-exposed VM with privileged managed identity", "severity": "critical", "category": "identity-network-compound", "description": "A VM reachable from the internet via an open NSG has a managed identity with a privileged role at subscription scope. An attacker exploiting this VM could use IMDS to obtain tokens and escalate to subscription-level control.", "remediation": "1. Identify the internet-facing NSG rule, attached VM, managed identity, and privileged role assignment in the path.\n2. Remove public inbound access to the VM or restrict it to approved administrative source ranges.\n3. Remove the privileged role from the managed identity or replace it with a least-privilege role scoped only to required resources.\n4. Restart or redeploy the workload if required so it uses the updated identity permissions.\n5. rerun Azure discovery and confirm this attack path no longer appears.", "remediation_script": "modules/Devolutions.CIEM.Graph/Data/attack_path_remediation_scripts/internet-exposed-vm-with-privileged-managed-identity.ps1", "steps": [ { "kind": "Internet" }, { "edge": "AllowsInbound", "direction": "outbound" }, { "kind": "AzureNSG" }, { "edge": "AttachedTo", "direction": "outbound" }, { "kind": "AzureVM" }, { "edge": "HasManagedIdentity", "direction": "outbound" }, { "kind": "EntraManagedIdentity" }, { "edge": "HasRole", "direction": "outbound", "filter": { "property": "privileged", "op": "eq", "value": true } } ] } |