Azure Threat Research Matrix
The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.
Authors
Authors and/or Contributors |
---|
AlertIQ |
Craig Fretwell |
Dor Edry |
Jonny Johnson |
Karl Fosaaen |
MITRE ATT&CK |
Manuel Berrueta |
Microsoft |
Nestori Syynimaa |
Nikhil Mittal |
Ram Pliskin |
Roberto Rodriguez |
Ryan Cobb |
AZT101 - Port Mapping
It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface's assigned Network Security Group
Internal MISP references
UUID 2b95d14b-2af8-53d9-b72b-a15a966fcd7a
which can be used as unique global reference for AZT101 - Port Mapping
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT101 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT102 - IP Discovery
It is possible to view the IP address on a resource by viewing the Virtual Network Interface
Internal MISP references
UUID 1c5cdaa4-3e58-5158-8027-7b08c0bd93de
which can be used as unique global reference for AZT102 - IP Discovery
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT102 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT103 - Public Accessible Resource
A resource within Azure is accessible from the public internet.
Internal MISP references
UUID 6c6052f7-3d6b-503b-99b2-8c32e0ed44cf
which can be used as unique global reference for AZT103 - Public Accessible Resource
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT103 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT104 - Gather User Information
An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user's roles and group memberships within AAD.
Internal MISP references
UUID df3fd847-3947-5ffa-9fc1-3482575a0796
which can be used as unique global reference for AZT104 - Gather User Information
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT104 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT105 - Gather Application Information
An adversary may obtain information about an application within Azure Active Directory.
Internal MISP references
UUID 9a3ef449-a40d-5f65-bbc1-1170dea045d5
which can be used as unique global reference for AZT105 - Gather Application Information
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT105 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106 - Gather Role Information
An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.
Internal MISP references
UUID ce93d401-b5aa-55f2-942a-d06541dac19a
which can be used as unique global reference for AZT106 - Gather Role Information
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT106 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106.1 - Gather AAD Role Information
An adversary may gather role assignments within Azure Active Directory.
Internal MISP references
UUID b8fc3465-e7d8-5615-a625-f1835d3c313e
which can be used as unique global reference for AZT106.1 - Gather AAD Role Information
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT106.1 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106.2 - Gather Application Role Information
An adversary may gather information about an application role & it's member assignments within Azure Active Directory.
Internal MISP references
UUID 641e1474-3fa2-5851-9c5b-35bac592825e
which can be used as unique global reference for AZT106.2 - Gather Application Role Information
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT106.2 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106.3 - Gather Azure Resources Role Assignments
An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.
Internal MISP references
UUID 12374642-bb8b-5339-ae75-093390894e98
which can be used as unique global reference for AZT106.3 - Gather Azure Resources Role Assignments
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT106.3 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT107 - Gather Resource Data
An adversary may obtain information and data within a resource.
Internal MISP references
UUID 41439ad7-9877-532a-a289-3fff16707deb
which can be used as unique global reference for AZT107 - Gather Resource Data
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT107 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT108 - Gather Victim Data
An adversary may access a user's personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.
Internal MISP references
UUID 08444afe-88de-50a9-8396-c9ca035afc22
which can be used as unique global reference for AZT108 - Gather Victim Data
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT108 |
kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT201 - Valid Credentials
Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.
Internal MISP references
UUID 6ac38262-72d7-52a9-b450-a493ae97c7b4
which can be used as unique global reference for AZT201 - Valid Credentials
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT201 |
kill_chain | ['ATRM-tactics:Initial Access', 'ATRM-tactics:Privilege Escalation', 'ATRM-tactics:Persistence'] |
AZT201.1 - User Account
By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.
Internal MISP references
UUID 6782f12a-7221-5a47-9aae-5eef4e030a02
which can be used as unique global reference for AZT201.1 - User Account
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT201.1 |
kill_chain | ['ATRM-tactics:Initial Access'] |
AZT201.2 - Service Principal
By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.
Internal MISP references
UUID 30478a5c-82fc-5172-8129-0ece37005762
which can be used as unique global reference for AZT201.2 - Service Principal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT201.2 |
kill_chain | ['ATRM-tactics:Initial Access'] |
AZT202 - Password Spraying
An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.
Internal MISP references
UUID fab95406-0d7c-5239-bb94-38e1ca52a70a
which can be used as unique global reference for AZT202 - Password Spraying
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT202 |
kill_chain | ['ATRM-tactics:Initial Access'] |
AZT203 - Malicious Application Consent
An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.
Internal MISP references
UUID 8a01a6ea-9fbb-518b-bae0-bafc27a54966
which can be used as unique global reference for AZT203 - Malicious Application Consent
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT203 |
kill_chain | ['ATRM-tactics:Initial Access'] |
AZT301 - Virtual Machine Scripting
Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.
Internal MISP references
UUID ac69d8a0-d616-5580-95a5-5abef15c8b81
which can be used as unique global reference for AZT301 - Virtual Machine Scripting
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.1 - RunCommand
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass: Windows: PowerShell commands to the VM as SYSTEM. Linux: Shell commands to the VM as root.
Internal MISP references
UUID 9369194c-c4d6-5df4-aab1-93c1b3c631c2
which can be used as unique global reference for AZT301.1 - RunCommand
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.1 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.2 - CustomScriptExtension
By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
Internal MISP references
UUID 04ee0b6c-40dd-5e71-8825-b4ac9acdb0de
which can be used as unique global reference for AZT301.2 - CustomScriptExtension
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.2 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.3 - Desired State Configuration
By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
Internal MISP references
UUID 40233909-2e71-5884-95e6-79b2a06ffa46
which can be used as unique global reference for AZT301.3 - Desired State Configuration
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.3 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.4 - Compute Gallery Application
By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.
Internal MISP references
UUID 74db1f38-d26b-576b-abac-b6b2ca53bcc8
which can be used as unique global reference for AZT301.4 - Compute Gallery Application
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.4 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.5 - AKS Command Invoke
By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM
Internal MISP references
UUID dd442218-8ee7-5601-9fae-9d5ab16fcf62
which can be used as unique global reference for AZT301.5 - AKS Command Invoke
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.5 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.6 - Vmss Run Command
By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as: Windows: PowerShell commands to the VM as SYSTEM. Linux: Shell commands to the VM as root.
Internal MISP references
UUID 6d141243-f440-54bb-9de3-81b65a01faf4
which can be used as unique global reference for AZT301.6 - Vmss Run Command
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.6 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT301.7 - Serial Console
By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.
Internal MISP references
UUID b2f70558-6986-5dab-9a49-55fa5a1212bb
which can be used as unique global reference for AZT301.7 - Serial Console
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT301.7 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT302 - Serverless Scripting
Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.
Internal MISP references
UUID 5ff07106-9f9e-5e52-9513-ccc856ea295a
which can be used as unique global reference for AZT302 - Serverless Scripting
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT302 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT302.1 - Automation Account Runbook Hybrid Worker Group
By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.
Internal MISP references
UUID 0b61dd42-24af-586a-b910-9c780c12d92a
which can be used as unique global reference for AZT302.1 - Automation Account Runbook Hybrid Worker Group
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT302.1 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT302.2 - Automation Account Runbook RunAs Account
By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.
Internal MISP references
UUID 21851b3a-6fd8-563a-8a51-f8ec44313879
which can be used as unique global reference for AZT302.2 - Automation Account Runbook RunAs Account
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT302.2 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT302.3 - Automation Account Runbook Managed Identity
By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.
Internal MISP references
UUID 69c9faf8-2f97-5be1-ac7c-446593e88089
which can be used as unique global reference for AZT302.3 - Automation Account Runbook Managed Identity
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT302.3 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT302.4 - Function Application
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID b38b17be-7adc-529d-8f75-378d5e298f5f
which can be used as unique global reference for AZT302.4 - Function Application
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT302.4 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT303 - Managed Device Scripting
Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.
Internal MISP references
UUID 5f103828-8662-50b7-a7b3-faa546194729
which can be used as unique global reference for AZT303 - Managed Device Scripting
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT303 |
kill_chain | ['ATRM-tactics:Execution'] |
AZT401 - Privileged Identity Management Role
An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).
Internal MISP references
UUID 74deaa24-30f1-5642-a1e1-44c8cbea46a7
which can be used as unique global reference for AZT401 - Privileged Identity Management Role
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT401 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT402 - Elevated Access Toggle
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
Internal MISP references
UUID f264fd49-c9a1-5ada-ba42-b59cb609d656
which can be used as unique global reference for AZT402 - Elevated Access Toggle
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT402 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT403 - Local Resource Hijack
By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.
Internal MISP references
UUID 9c190f8f-3ec2-5d7c-b19d-a8f5d40d826e
which can be used as unique global reference for AZT403 - Local Resource Hijack
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT403 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404 - Principal Impersonation
Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
Internal MISP references
UUID adeea4ca-8ff0-5159-815d-4bd53b0d1877
which can be used as unique global reference for AZT404 - Principal Impersonation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT404 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.1 - Function Application
By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID 7ed04b40-029b-5eb0-8c3d-e021f47e6bfa
which can be used as unique global reference for AZT404.1 - Function Application
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT404.1 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.2 - Logic Application
By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID a7bf6734-eae0-53d0-8356-be438c3909eb
which can be used as unique global reference for AZT404.2 - Logic Application
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT404.2 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.3 - Automation Account
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID d1694a7f-8497-5ce6-b426-b65728778bc2
which can be used as unique global reference for AZT404.3 - Automation Account
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT404.3 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.4 - App Service
By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID a69ea209-9156-5cfd-8190-c8e7c0d667bc
which can be used as unique global reference for AZT404.4 - App Service
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT404.4 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405 - Azure AD Application
Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.
Internal MISP references
UUID 67271cac-5189-56b2-86e3-a40879107eca
which can be used as unique global reference for AZT405 - Azure AD Application
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT405 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405.1 - Application API Permissions
By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
Internal MISP references
UUID f46e3cf1-d5d4-540e-b96d-d46ca6c092b9
which can be used as unique global reference for AZT405.1 - Application API Permissions
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT405.1 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405.2 - Application Role
By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.
Internal MISP references
UUID b00aa43b-033e-5c73-a558-adaf16391169
which can be used as unique global reference for AZT405.2 - Application Role
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT405.2 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405.3 - Application Registration Owner
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
Internal MISP references
UUID c9012720-805b-5765-bb19-117b8844fff7
which can be used as unique global reference for AZT405.3 - Application Registration Owner
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT405.3 |
kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT501 - Account Manipulation
An adverary may manipulate an account to maintain access in an Azure tenant
Internal MISP references
UUID 63bdb79b-02b5-53f5-84cd-7af94c28b5f8
which can be used as unique global reference for AZT501 - Account Manipulation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT501 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT501.1 - User Account Manipulation
An adverary may manipulate a user account to maintain access in an Azure tenant
Internal MISP references
UUID 76b94161-b0c4-58e9-8f2e-38c53e72af71
which can be used as unique global reference for AZT501.1 - User Account Manipulation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT501.1 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT501.2 - Service Principal Manipulation
An adverary may manipulate a service principal to maintain access in an Azure tenant
Internal MISP references
UUID 011f820f-cb51-5118-b491-6b533f907c64
which can be used as unique global reference for AZT501.2 - Service Principal Manipulation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT501.2 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT501.3 - Azure VM Local Administrator Manipulation
An adverary may manipulate the local admin account on an Azure VM
Internal MISP references
UUID a9e76b8d-9a2e-5635-8d31-2f2782f1b4b1
which can be used as unique global reference for AZT501.3 - Azure VM Local Administrator Manipulation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT501.3 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT502 - Account Creation
An adversary may create an account in Azure Active Directory.
Internal MISP references
UUID c3e571e8-9893-5e3c-ac6b-cd2cfdf353b7
which can be used as unique global reference for AZT502 - Account Creation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT502 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT502.1 - User Account Creation
An adversary may create an application & service principal in Azure Active Directory
Internal MISP references
UUID abfc6aa3-2201-5c2b-8c23-ac50a918d692
which can be used as unique global reference for AZT502.1 - User Account Creation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT502.1 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT502.2 - Service Principal Creation
An adversary may create an application & service principal in Azure Active Directory
Internal MISP references
UUID fa999394-eadd-550a-8d47-50cdc65abe9a
which can be used as unique global reference for AZT502.2 - Service Principal Creation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT502.2 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT502.3 - Guest Account Creation
An adversary may create a guest account in Azure Active Directory
Internal MISP references
UUID 9f28935a-4eba-55bf-8f02-93ec6479bd31
which can be used as unique global reference for AZT502.3 - Guest Account Creation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT502.3 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT503 - HTTP Trigger
Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.
Internal MISP references
UUID fbdebeff-4c97-5576-8ca1-edc008c8d6f0
which can be used as unique global reference for AZT503 - HTTP Trigger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT503 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.1 - Logic Application HTTP Trigger
Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
Internal MISP references
UUID a540c588-a229-5f06-8e55-aa9936d48d29
which can be used as unique global reference for AZT503.1 - Logic Application HTTP Trigger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT503.1 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.2 - Function App HTTP Trigger
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
Internal MISP references
UUID 6e223830-9497-5d9d-9e64-2349d8fd7da3
which can be used as unique global reference for AZT503.2 - Function App HTTP Trigger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT503.2 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.3 - Runbook Webhook
Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
Internal MISP references
UUID efe38e61-5580-5b23-b947-f93dfc1c6e1b
which can be used as unique global reference for AZT503.3 - Runbook Webhook
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT503.3 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.4 - WebJob
Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule
Internal MISP references
UUID 3b5e2af6-1e38-562b-8969-048ad7a75262
which can be used as unique global reference for AZT503.4 - WebJob
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT503.4 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT504 - Watcher Tasks
By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.
Internal MISP references
UUID 94a052a1-83aa-588c-9d8e-1269e7e9eecf
which can be used as unique global reference for AZT504 - Watcher Tasks
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT504 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT505 - Scheduled Jobs
Adversaries may create a schedule for a Runbook to run at a defined interval.
Internal MISP references
UUID 4818f3d9-39ae-58ba-8e3c-c38610473435
which can be used as unique global reference for AZT505 - Scheduled Jobs
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT505 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT506 - Network Security Group Modification
Adversaries can modify the rules in a Network Security Group to establish access over additional ports.
Internal MISP references
UUID b611390f-01b1-5043-8abd-0f37a1edcb14
which can be used as unique global reference for AZT506 - Network Security Group Modification
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT506 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT507 - External Entity Access
Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
Internal MISP references
UUID 1a35a003-3f49-560d-a54a-8acfbf203b97
which can be used as unique global reference for AZT507 - External Entity Access
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT507 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.1 - Azure Lighthouse
Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant
Internal MISP references
UUID dc904434-aac2-5509-8ecf-7ef7d1b22c28
which can be used as unique global reference for AZT507.1 - Azure Lighthouse
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT507.1 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.2 - Microsoft Partners
Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.
Internal MISP references
UUID 5f12fafa-7f63-5066-968c-d5d82d292623
which can be used as unique global reference for AZT507.2 - Microsoft Partners
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT507.2 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.3 - Subscription Hijack
An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.
Internal MISP references
UUID bcaad79d-3751-569b-97cc-cc21605a83bd
which can be used as unique global reference for AZT507.3 - Subscription Hijack
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT507.3 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.4 - Domain Trust Modification
An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.
Internal MISP references
UUID 0c19e4bf-39f4-577e-a722-af289cbe594e
which can be used as unique global reference for AZT507.4 - Domain Trust Modification
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT507.4 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT508 - Azure Policy
By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.
Internal MISP references
UUID 3f56cce5-bfd6-5cde-8e64-8142fcce23f4
which can be used as unique global reference for AZT508 - Azure Policy
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT508 |
kill_chain | ['ATRM-tactics:Persistence'] |
AZT601 - Steal Managed Identity JsonWebToken
An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.
Internal MISP references
UUID 8c2dea2c-2bfd-53b0-aca5-1e6d3bf4b369
which can be used as unique global reference for AZT601 - Steal Managed Identity JsonWebToken
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT601 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.1 - Virtual Machine IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.
Internal MISP references
UUID e11c90b6-eba6-5f5a-93f6-7c7de1bdd104
which can be used as unique global reference for AZT601.1 - Virtual Machine IMDS Request
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT601.1 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.2 - Azure Kubernetes Service IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.
Internal MISP references
UUID 6c8935d7-037d-568d-86a6-2eeadf5ca385
which can be used as unique global reference for AZT601.2 - Azure Kubernetes Service IMDS Request
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT601.2 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.3 - Logic Application JWT PUT Request
If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.
Internal MISP references
UUID 36c2bbe2-07b7-5601-ae4a-0657a1c75895
which can be used as unique global reference for AZT601.3 - Logic Application JWT PUT Request
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT601.3 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.4 - Function Application JWT GET Request
If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.
Internal MISP references
UUID c64f2172-0dc5-5061-8128-c6c1fc59d3b3
which can be used as unique global reference for AZT601.4 - Function Application JWT GET Request
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT601.4 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.5 - Automation Account Runbook
If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.
Internal MISP references
UUID d369c182-37cb-55dd-bb0d-af57d277c051
which can be used as unique global reference for AZT601.5 - Automation Account Runbook
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT601.5 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT602 - Steal Service Principal Certificate
If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.
Internal MISP references
UUID 027b05da-cabb-507c-a4b5-3a6c73859390
which can be used as unique global reference for AZT602 - Steal Service Principal Certificate
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT602 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT603 - Service Principal Secret Reveal
If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.
Internal MISP references
UUID 84639ccb-77a5-532f-bdac-a9d347d92304
which can be used as unique global reference for AZT603 - Service Principal Secret Reveal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT603 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604 - Azure KeyVault Dumping
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
Internal MISP references
UUID a23579ef-ddd3-5370-a2aa-2651f93b27d7
which can be used as unique global reference for AZT604 - Azure KeyVault Dumping
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT604 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604.1 - Azure KeyVault Secret Dump
By accessing an Azure Key Vault, an adversary may dump any or all secrets.
Internal MISP references
UUID cfcf7adc-3842-5186-9e6a-d595bcea09f7
which can be used as unique global reference for AZT604.1 - Azure KeyVault Secret Dump
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT604.1 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604.2 - Azure KeyVault Certificate Dump
By accessing an Azure Key Vault, an adversary may dump any or all certificates.
Internal MISP references
UUID 05e20b61-81d2-5b29-a7db-2ec6e84eae7e
which can be used as unique global reference for AZT604.2 - Azure KeyVault Certificate Dump
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT604.2 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604.3 - Azure KeyVault Key Dump
By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.
Internal MISP references
UUID 06ec5785-88db-51c1-88f3-f0e6eed32830
which can be used as unique global reference for AZT604.3 - Azure KeyVault Key Dump
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT604.3 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605 - Resource Secret Reveal
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
Internal MISP references
UUID ecc40a2a-a85d-5e60-9e21-dffe6d07d85f
which can be used as unique global reference for AZT605 - Resource Secret Reveal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT605 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605.1 - Storage Account Access Key Dumping
By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.
Internal MISP references
UUID 4c22fbc1-60b0-5f4a-af4f-8fc32edcfe8a
which can be used as unique global reference for AZT605.1 - Storage Account Access Key Dumping
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT605.1 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605.2 - Automation Account Credential Secret Dump
By editing a Runbook, a credential configured in an Automation Account may be revealed
Internal MISP references
UUID 49ec3f4e-7185-5e89-9ac0-3b5b0547f7bd
which can be used as unique global reference for AZT605.2 - Automation Account Credential Secret Dump
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT605.2 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605.3 - Resource Group Deployment History Secret Dump
By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.
Internal MISP references
UUID 12c8ab19-5265-5ae3-8f16-bf35bc41f94e
which can be used as unique global reference for AZT605.3 - Resource Group Deployment History Secret Dump
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT605.3 |
kill_chain | ['ATRM-tactics:Credential Access'] |
AZT701 - SAS URI Generation
By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.
Internal MISP references
UUID 9ca7b25c-643a-5e55-a210-684f49fe82d8
which can be used as unique global reference for AZT701 - SAS URI Generation
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT701 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT701.1 - VM Disk SAS URI
An adversary may create an SAS URI to download the disk attached to a virtual machine.
Internal MISP references
UUID 8805d880-8887-52b6-a113-8c0f4fec4230
which can be used as unique global reference for AZT701.1 - VM Disk SAS URI
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT701.1 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT701.2 - Storage Account File Share SAS
By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.
Internal MISP references
UUID aae55a3a-8e32-5a62-8d41-837b2ebb1e69
which can be used as unique global reference for AZT701.2 - Storage Account File Share SAS
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT701.2 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT702 - File Share Mounting
An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.
Internal MISP references
UUID dc6f9ee0-55b2-5197-87a5-7474cfc04d72
which can be used as unique global reference for AZT702 - File Share Mounting
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT702 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT703 - Replication
Internal MISP references
UUID ff4276bf-ab9e-5157-a171-5cdd4a3e6002
which can be used as unique global reference for AZT703 - Replication
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT703 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT704 - Soft-Delete Recovery
An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted
Internal MISP references
UUID 47ded49d-ef4c-57d4-8050-f66f884c4388
which can be used as unique global reference for AZT704 - Soft-Delete Recovery
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT704 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT704.1 - Key Vault
An adversary may recover a key vault object found in a 'soft deletion' state.
Internal MISP references
UUID d8fc76f2-6776-5a09-bfb3-57852ae1d786
which can be used as unique global reference for AZT704.1 - Key Vault
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT704.1 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT704.2 - Storage Account Object
An adversary may recover a storage account object found in a 'soft deletion' state.
Internal MISP references
UUID cd9f0082-b2c7-53f8-95a6-a4fe746f973e
which can be used as unique global reference for AZT704.2 - Storage Account Object
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT704.2 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT704.3 - Recovery Services Vault
An adversary may recover a virtual machine object found in a 'soft deletion' state.
Internal MISP references
UUID d333405e-af82-555c-a68f-e723878b5f55
which can be used as unique global reference for AZT704.3 - Recovery Services Vault
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT704.3 |
kill_chain | ['ATRM-tactics:Impact'] |
AZT705 - Azure Backup Delete
An adversary may recover a virtual machine object found in a 'soft deletion' state.
Internal MISP references
UUID 9d181c95-ccf7-5c94-8f4a-f6a2df62d760
which can be used as unique global reference for AZT705 - Azure Backup Delete
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | AZT705 |
kill_chain | ['ATRM-tactics:Impact'] |