IBM analysts identified multiple deployment vectors that introduce security vulnerabilities, including PowerShell scripts with embedded secrets, misconfigured System Center Configuration Manager (SCCM) deployments, and Group Policy Objects (GPOs) that store encrypted credentials using DPAPI-NG. The research demonstrates that these recovered credentials often possess elevated privileges beyond their intended scope, including the “Azure Connected Machine Resource Administrator” role, which grants comprehensive management capabilities over Arc deployments. The research, conducted during recent red team operations, reveals how adversaries can leverage misconfigured Azure Arc installations to escalate privileges from cloud environments to on-premises systems and maintain long-term persistence through legitimate Microsoft services. The research team noted that these deployment methods, while following Microsoft’s official guidance, often result in credential exposure due to overly permissive access controls and inadequate secret management practices. The attack techniques center around the exploitation of Service Principal credentials that are often hardcoded in deployment scripts or stored in accessible network shares. Azure Arc, Microsoft’s hybrid cloud management platform, extends Azure’s native management capabilities to on-premises systems, Kubernetes clusters, and other non-Azure resources. When Arc is deployed via Group Policy, administrators create network shares containing deployment files, including an “encryptedServicePrincipalSecret” file protected by DPAPI-NG encryption. While designed to streamline hybrid infrastructure management, the service’s deployment mechanisms and configuration processes have introduced new attack vectors that threat actors can exploit. These credentials, originally intended for automated Arc client registration, can be recovered by attackers who gain access to deployment infrastructure or policy configurations. Cybersecurity researchers have discovered a sophisticated attack technique that exploits Microsoft Azure Arc deployments to gain persistent access to enterprise environments. Once obtained, these credentials can be weaponized to execute arbitrary code on Arc-managed systems through various Azure management interfaces. The most significant finding involves the exploitation of DPAPI-NG encrypted secrets stored in Azure Arc deployment shares.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 05 Jul 2025 07:25:12 +0000