What starting position does this attack require?

The first step is RCE on the VM (web / SSH / SCM) (T1190) — a initial access primitive. Assumed environment: an Azure VM has a managed identity with Microsoft.

What is the final impact of this kill-chain?

The final step lands on Pivot via VM RunCommand on other tenants (C-AZ-RUNCOMMAND-VM), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Compromised VM → Managed Identity → Subscription Owner

A VM with an over-privileged system-assigned managed identity is compromised; query IMDS for an Azure AD token, then assign yourself Owner on the subscription.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

RCE on the VM (web / SSH / SCM)

T1190 · Exploit Public-Facing Application

Discovery

List role assignments

T1087 · Account Discovery

Privilege Escalation

Assign Owner on subscription to attacker user

C-AZ-RBAC-OWNER · Azure RBAC Owner Assignment

Privilege Escalation

Hit IMDS for AAD token

C-AZ-MANAGED-ID-ESC · Azure Managed Identity Escalation

GET http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com/

Lateral Movement

Pivot via VM RunCommand on other tenants

C-AZ-RUNCOMMAND-VM · Azure VM RunCommand

§ Context

Assumed environment: an Azure VM has a managed identity with Microsoft.Authorization/roleAssignments/write at subscription scope (or via an indirect role like User Access Administrator).

§ Steps

01
RCE on the VM (web / SSH / SCM)Initial Access
T1190— Exploit Public-Facing Application
02
List role assignmentsDiscovery
T1087— Account Discovery
03
Assign Owner on subscription to attacker userPrivilege Escalation
C-AZ-RBAC-OWNER— Azure RBAC Owner Assignment
04
Hit IMDS for AAD tokenPrivilege Escalation
C-AZ-MANAGED-ID-ESC— Azure Managed Identity Escalation
GET http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com/
05
Pivot via VM RunCommand on other tenantsLateral Movement
C-AZ-RUNCOMMAND-VM— Azure VM RunCommand

§ References

T1190Exploit Public-Facing Application
T1087Account Discovery

§ Frequently asked

What is the "Compromised VM → Managed Identity → Subscription Owner" attack path?: A VM with an over-privileged system-assigned managed identity is compromised; query IMDS for an Azure AD token, then assign yourself Owner on the subscription. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is RCE on the VM (web / SSH / SCM) (T1190) — a initial access primitive. Assumed environment: an Azure VM has a managed identity with Microsoft.
What is the final impact of this kill-chain?: The final step lands on Pivot via VM RunCommand on other tenants (C-AZ-RUNCOMMAND-VM), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.