ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
IMU Core Index(MC-001 → MC-524)
A comprehensive catalog of identity-centric configuration weaknesses across cloud, hybrid, and application environments. Each MC-xxx entry represents concrete misconfigurations enabling reconnaissance, account compromise, privilege escalation, lateral movement, or persistence.
MC-001: Publicly Exposed User Identifiers
Error messages and login flows leak account existence, tenant details, email structure, federation status, and MFA requirements. Password reset pages reveal identity realm information. Different pre-auth messages and prompts expose account validity and authentication methods.
Impact: Makes targeting valid usernames for password spraying significantly easier through reconnaissance of authentication infrastructure.

Attack Vector
Attackers enumerate valid accounts through systematic probing of login portals and error message analysis.
Session & Authentication Weaknesses
MC-007: Weak Password Hygiene
Common passwords and password reuse enable easy compromise across accounts and systems.
MC-018: Poor Browser Session Governance
Session cookies extracted from infected devices allow full user impersonation. Tokens stored in plaintext on disk, memory, or browser sync storage enable persistent access.
MC-019: Weak Lockout Policies
Inconsistent lockout thresholds allow mass username validation. Spraying and brute-force attempts proceed with little restriction, enabling repeated credential attempts without detection.
MC-037: Weak Token Signing Certificate Management
1
Certificate Exposure
Outdated certificates reveal trust chains attackers can analyze and target for exploitation.
2
Token Forging
Enables SAML/OIDC token forging attacks like DarkHalo/SolarWinds compromise.
3
IdP Impersonation
Old or leaked certificates allow complete impersonation of trusted identity providers.
Cloud IAM & Privilege Misconfigurations
MC-062: Excessive Cloud IAM Permissions
  • Users, apps, or machines have far more rights than needed
  • Allows lateral movement between cloud services
  • Enables generation of new secrets, roles, or privileged identities
  • Permits destructive or high-impact actions
MC-090: Privilege Creep Over Time
Old roles and assignments accumulate unchecked, creating shadow administrators with silent administrative reach across the environment.
MC-093: Weak Multi-Cloud Governance
Enables cross-cloud movement through trust misconfigurations.
MC-075: Weak Network Segmentation for Identity Paths
Global Accessibility
Identity endpoints accessible from anywhere allow automated, global-scale enumeration and persistent external access to identity control surfaces.
Federation Exposure
Federation endpoints become globally accessible, enabling unauthenticated probing and easy harvesting of trust relationships.
Metadata Leakage
Open identity endpoints leak naming behavior via error messages, allowing unrestricted probing of pre-authentication endpoints.
Remote Execution
Allows remote execution of critical identity management actions without proper access controls.
MC-076: Legacy Authentication Allowed
01
Protocol Bypass
Legacy protocols bypass MFA and provide weaker authentication responses, allowing password-only authentication.
02
Token Conversion
Enables attackers to convert tokens into long-lived sessions without modern security controls.
03
Fallback Exploitation
Fallback authentication paths bypass modern controls, increasing attack feasibility and success rates.
Directory & Role Governance Failures
MC-107: Weak Directory Role Governance
Lack of auditing around identity roles enables escalation. Attackers use admin roles without detection through stale or high-value role assignments.
MC-121: Excessive OAuth App Permissions
Applications allowed to request high-risk permissions by default without proper validation or review.
MC-131: Weak Claim Validation
Allows attackers to exploit federation flows with modified token claims being accepted by identity providers.
MC-111: Incomplete MFA Configuration
Partial Rollout Vulnerabilities
Partial MFA rollout leaves users vulnerable to password-only compromise. Accounts missing MFA become trivial targets for attackers.
Weak MFA Methods
Weak MFA types (SMS, push) are easily intercepted. SMS-based MFA exposes identities to telecom-level attacks. Push-based MFA can be fatigued.
OAuth Consent Bypass
MFA does not protect against OAuth consent grants. Once MFA is bypassed via token, accounts lack secondary controls.
Golden SAML Limitation
Golden SAML bypasses MFA entirely—MFA cannot mitigate it alone. Token-based attacks circumvent authentication challenges completely.
Device & Endpoint Security Gaps
MC-132: Weak Device Security Posture
Unprotected browsers allow malware to extract stored authentication data. Unmanaged or insecure devices expose session data. Infected endpoints leak cookies enabling direct authentication.
MC-138: Overprivileged Machine Identities
Automation tokens have excessive rights and long lifetimes. Machine identities authenticate freely without MFA or device checks, carrying hidden admin capabilities.
Machine identities enable automated exfiltration, sabotage, or privilege replication. Long-lived machine tokens can be replayed silently, allowing machine-to-machine lateral movement and long-term footholds.
OAuth & Consent Governance Failures
MC-143: No User Consent Restrictions
  • End users can approve arbitrary applications
  • Any user can grant apps powerful delegated scopes
  • Attackers inject OAuth scopes after MitM login
MC-147: Insufficient OAuth App Governance
  • Users unknowingly grant high-value permissions to malicious apps
  • Malicious apps obtain authenticated sessions via consent
  • Apps request excessive token scopes without restriction

Attack Chain
  1. Attacker registers OAuth app with elevated scopes
  1. User grants consent without understanding risk
  1. App maintains persistent refresh tokens
  1. Attacker redirects victims to malicious endpoints
  1. Unauthorized apps issue refresh tokens freely
MC-146: Inconsistent Identity Trust Boundaries
Cross-Tenant Leakage
Cross-tenant error messages reveal account behaviors between multiple Azure AD/IdP tenants, enabling cross-environment pivoting.
Federation Metadata Exposure
External clouds/tenants reveal metadata through misconfigured federation. Multiple federation paths expose differing metadata sets and UPN patterns.
Behavioral Inconsistencies
Cloud vs. federated flows reveal different MFA behavior for the same user. Different federation paths expose account metadata or behavioral differences.
Pre-Auth Information Disclosure
Cloud vs. federated pre-auth behavior leaks details about identity configuration and authentication requirements.
Cloud & Federation Misconfigurations (MC-152–MC-300)
Account Recovery
MC-152: Phone-based resets without strong identity verification
Federation Security
MC-171-174: Weak signing key protection, over-permissioned servers, inadequate monitoring, unaligned federation paths
App Roles
MC-201-204: Over-permissioned app roles, broad group assignments, lack of privileged access governance
Service Principals
MC-210-212: Excessive SP privileges, long-lived secrets, high-risk directory role assignments
Additional risks include nested privileged groups (MC-221), legacy AD mappings (MC-222), emergency access groups (MC-223), and broad Conditional Access exclusions (MC-231-234).
Hybrid, Sync & Integration Risks
1
MC-241: Over-Permissioned AD Sync
Too many AD groups and privileged users included in sync scope, expanding attack surface.
2
MC-242: Weak Azure AD Connect Security
Sync servers exposed or not hardened, creating compromise vectors.
3
MC-243: Hybrid Emergency Backdoors
Old AD-based emergency groups still map to cloud admin roles.
4
MC-250: Insecure Cross-Platform Integrations
SaaS connectors configured with admin-level permissions without governance.
5
MC-261-264: CI/CD Pipeline Risks
Hardcoded credentials, excessive SP privileges, insecure agent execution, plaintext OAuth tokens.
Machine, Workload & Automation Identity Risks (MC-301–MC-503)
Governance & Lifecycle (MC-301-304)
  • Weak machine identity governance and lifecycle enforcement
  • Unmonitored workload identities without behavioral analysis
  • Excessive permissions for machine/service identities
  • Hard-coded machine identity secrets in scripts or IaC
API & OAuth (MC-311-323)
  • Weak API key rotation policies and plaintext storage
  • Overprivileged API keys shared across systems
  • Long-lived OAuth client secrets with excessive permissions
  • Misconfigured SCIM provisioning pushing identities to wrong groups
Service Principals & Apps (MC-401-415)
  • Weak SP credentials, excessive privileges, long certificate lifetimes
  • SP credential reuse and repository exposure
  • Unmanaged app registrations and stale service principals
  • Excessive admin consent grants and misconfigured multi-tenant apps
Automation & Workload (MC-421-454)
  • Long-lived automation credentials with weak secrets
  • Overprivileged automation accounts and cross-subscription reuse
  • Workload identity sprawl and forgotten credentials
  • Machine identity CA gaps, session mismanagement, weak monitoring
MC-501-503: Long-lived SP secrets, overprivileged workload federation trust, machine identities with global permissions.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation