Azure Threat Research Matrix
The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.
Authors
| Authors and/or Contributors |
|---|
| Microsoft |
| Karl Fosaaen |
| Nestori Syynimaa |
| Ryan Cobb |
| Roberto Rodriguez |
| Manuel Berrueta |
| Jonny Johnson |
| Dor Edry |
| Ram Pliskin |
| Nikhil Mittal |
| MITRE ATT&CK |
| AlertIQ |
| Craig Fretwell |
AZT101 - Port Mapping
It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface's assigned Network Security Group
Internal MISP references
UUID 2b95d14b-2af8-53d9-b72b-a15a966fcd7a which can be used as unique global reference for AZT101 - Port Mapping in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT102 - IP Discovery
It is possible to view the IP address on a resource by viewing the Virtual Network Interface
Internal MISP references
UUID 1c5cdaa4-3e58-5158-8027-7b08c0bd93de which can be used as unique global reference for AZT102 - IP Discovery in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT103 - Public Accessible Resource
A resource within Azure is accessible from the public internet.
Internal MISP references
UUID 6c6052f7-3d6b-503b-99b2-8c32e0ed44cf which can be used as unique global reference for AZT103 - Public Accessible Resource in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT104 - Gather User Information
An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user's roles and group memberships within AAD.
Internal MISP references
UUID df3fd847-3947-5ffa-9fc1-3482575a0796 which can be used as unique global reference for AZT104 - Gather User Information in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT105 - Gather Application Information
An adversary may obtain information about an application within Azure Active Directory.
Internal MISP references
UUID 9a3ef449-a40d-5f65-bbc1-1170dea045d5 which can be used as unique global reference for AZT105 - Gather Application Information in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106 - Gather Role Information
An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.
Internal MISP references
UUID ce93d401-b5aa-55f2-942a-d06541dac19a which can be used as unique global reference for AZT106 - Gather Role Information in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106.1 - Gather AAD Role Information
An adversary may gather role assignments within Azure Active Directory.
Internal MISP references
UUID b8fc3465-e7d8-5615-a625-f1835d3c313e which can be used as unique global reference for AZT106.1 - Gather AAD Role Information in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106.2 - Gather Application Role Information
An adversary may gather information about an application role & it's member assignments within Azure Active Directory.
Internal MISP references
UUID 641e1474-3fa2-5851-9c5b-35bac592825e which can be used as unique global reference for AZT106.2 - Gather Application Role Information in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT106.3 - Gather Azure Resources Role Assignments
An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.
Internal MISP references
UUID 12374642-bb8b-5339-ae75-093390894e98 which can be used as unique global reference for AZT106.3 - Gather Azure Resources Role Assignments in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT107 - Gather Resource Data
An adversary may obtain information and data within a resource.
Internal MISP references
UUID 41439ad7-9877-532a-a289-3fff16707deb which can be used as unique global reference for AZT107 - Gather Resource Data in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT108 - Gather Victim Data
An adversary may access a user's personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.
Internal MISP references
UUID 08444afe-88de-50a9-8396-c9ca035afc22 which can be used as unique global reference for AZT108 - Gather Victim Data in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Reconnaissance'] |
AZT201 - Valid Credentials
Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.
Internal MISP references
UUID 6ac38262-72d7-52a9-b450-a493ae97c7b4 which can be used as unique global reference for AZT201 - Valid Credentials in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Initial Access', 'ATRM-tactics:Privilege Escalation', 'ATRM-tactics:Persistence'] |
AZT201.1 - User Account
By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.
Internal MISP references
UUID 6782f12a-7221-5a47-9aae-5eef4e030a02 which can be used as unique global reference for AZT201.1 - User Account in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Initial Access'] |
AZT201.2 - Service Principal
By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.
Internal MISP references
UUID 30478a5c-82fc-5172-8129-0ece37005762 which can be used as unique global reference for AZT201.2 - Service Principal in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Initial Access'] |
AZT202 - Password Spraying
An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.
Internal MISP references
UUID fab95406-0d7c-5239-bb94-38e1ca52a70a which can be used as unique global reference for AZT202 - Password Spraying in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Initial Access'] |
AZT203 - Malicious Application Consent
An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.
Internal MISP references
UUID 8a01a6ea-9fbb-518b-bae0-bafc27a54966 which can be used as unique global reference for AZT203 - Malicious Application Consent in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Initial Access'] |
AZT301 - Virtual Machine Scripting
Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.
Internal MISP references
UUID ac69d8a0-d616-5580-95a5-5abef15c8b81 which can be used as unique global reference for AZT301 - Virtual Machine Scripting in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.1 - RunCommand
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass: Windows: PowerShell commands to the VM as SYSTEM. Linux: Shell commands to the VM as root.
Internal MISP references
UUID 9369194c-c4d6-5df4-aab1-93c1b3c631c2 which can be used as unique global reference for AZT301.1 - RunCommand in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.2 - CustomScriptExtension
By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
Internal MISP references
UUID 04ee0b6c-40dd-5e71-8825-b4ac9acdb0de which can be used as unique global reference for AZT301.2 - CustomScriptExtension in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.3 - Desired State Configuration
By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
Internal MISP references
UUID 40233909-2e71-5884-95e6-79b2a06ffa46 which can be used as unique global reference for AZT301.3 - Desired State Configuration in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.4 - Compute Gallery Application
By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.
Internal MISP references
UUID 74db1f38-d26b-576b-abac-b6b2ca53bcc8 which can be used as unique global reference for AZT301.4 - Compute Gallery Application in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.5 - AKS Command Invoke
By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM
Internal MISP references
UUID dd442218-8ee7-5601-9fae-9d5ab16fcf62 which can be used as unique global reference for AZT301.5 - AKS Command Invoke in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.6 - Vmss Run Command
By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as: Windows: PowerShell commands to the VM as SYSTEM. Linux: Shell commands to the VM as root.
Internal MISP references
UUID 6d141243-f440-54bb-9de3-81b65a01faf4 which can be used as unique global reference for AZT301.6 - Vmss Run Command in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT301.7 - Serial Console
By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.
Internal MISP references
UUID b2f70558-6986-5dab-9a49-55fa5a1212bb which can be used as unique global reference for AZT301.7 - Serial Console in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT302 - Serverless Scripting
Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.
Internal MISP references
UUID 5ff07106-9f9e-5e52-9513-ccc856ea295a which can be used as unique global reference for AZT302 - Serverless Scripting in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT302.1 - Automation Account Runbook Hybrid Worker Group
By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.
Internal MISP references
UUID 0b61dd42-24af-586a-b910-9c780c12d92a which can be used as unique global reference for AZT302.1 - Automation Account Runbook Hybrid Worker Group in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT302.2 - Automation Account Runbook RunAs Account
By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.
Internal MISP references
UUID 21851b3a-6fd8-563a-8a51-f8ec44313879 which can be used as unique global reference for AZT302.2 - Automation Account Runbook RunAs Account in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT302.3 - Automation Account Runbook Managed Identity
By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.
Internal MISP references
UUID 69c9faf8-2f97-5be1-ac7c-446593e88089 which can be used as unique global reference for AZT302.3 - Automation Account Runbook Managed Identity in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT302.4 - Function Application
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID b38b17be-7adc-529d-8f75-378d5e298f5f which can be used as unique global reference for AZT302.4 - Function Application in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT303 - Managed Device Scripting
Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.
Internal MISP references
UUID 5f103828-8662-50b7-a7b3-faa546194729 which can be used as unique global reference for AZT303 - Managed Device Scripting in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Execution'] |
AZT401 - Privileged Identity Management Role
An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).
Internal MISP references
UUID 74deaa24-30f1-5642-a1e1-44c8cbea46a7 which can be used as unique global reference for AZT401 - Privileged Identity Management Role in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT402 - Elevated Access Toggle
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
Internal MISP references
UUID f264fd49-c9a1-5ada-ba42-b59cb609d656 which can be used as unique global reference for AZT402 - Elevated Access Toggle in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT403 - Local Resource Hijack
By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.
Internal MISP references
UUID 9c190f8f-3ec2-5d7c-b19d-a8f5d40d826e which can be used as unique global reference for AZT403 - Local Resource Hijack in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404 - Principal Impersonation
Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
Internal MISP references
UUID adeea4ca-8ff0-5159-815d-4bd53b0d1877 which can be used as unique global reference for AZT404 - Principal Impersonation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.1 - Function Application
By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID 7ed04b40-029b-5eb0-8c3d-e021f47e6bfa which can be used as unique global reference for AZT404.1 - Function Application in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.2 - Logic Application
By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID a7bf6734-eae0-53d0-8356-be438c3909eb which can be used as unique global reference for AZT404.2 - Logic Application in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.3 - Automation Account
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID d1694a7f-8497-5ce6-b426-b65728778bc2 which can be used as unique global reference for AZT404.3 - Automation Account in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT404.4 - App Service
By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
Internal MISP references
UUID a69ea209-9156-5cfd-8190-c8e7c0d667bc which can be used as unique global reference for AZT404.4 - App Service in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405 - Azure AD Application
Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.
Internal MISP references
UUID 67271cac-5189-56b2-86e3-a40879107eca which can be used as unique global reference for AZT405 - Azure AD Application in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405.1 - Application API Permissions
By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
Internal MISP references
UUID f46e3cf1-d5d4-540e-b96d-d46ca6c092b9 which can be used as unique global reference for AZT405.1 - Application API Permissions in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405.2 - Application Role
By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.
Internal MISP references
UUID b00aa43b-033e-5c73-a558-adaf16391169 which can be used as unique global reference for AZT405.2 - Application Role in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT405.3 - Application Registration Owner
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
Internal MISP references
UUID c9012720-805b-5765-bb19-117b8844fff7 which can be used as unique global reference for AZT405.3 - Application Registration Owner in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Privilege Escalation'] |
AZT501 - Account Manipulation
An adverary may manipulate an account to maintain access in an Azure tenant
Internal MISP references
UUID 63bdb79b-02b5-53f5-84cd-7af94c28b5f8 which can be used as unique global reference for AZT501 - Account Manipulation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT501.1 - User Account Manipulation
An adverary may manipulate a user account to maintain access in an Azure tenant
Internal MISP references
UUID 76b94161-b0c4-58e9-8f2e-38c53e72af71 which can be used as unique global reference for AZT501.1 - User Account Manipulation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT501.2 - Service Principal Manipulation
An adverary may manipulate a service principal to maintain access in an Azure tenant
Internal MISP references
UUID 011f820f-cb51-5118-b491-6b533f907c64 which can be used as unique global reference for AZT501.2 - Service Principal Manipulation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT501.3 - Azure VM Local Administrator Manipulation
An adverary may manipulate the local admin account on an Azure VM
Internal MISP references
UUID a9e76b8d-9a2e-5635-8d31-2f2782f1b4b1 which can be used as unique global reference for AZT501.3 - Azure VM Local Administrator Manipulation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT502 - Account Creation
An adversary may create an account in Azure Active Directory.
Internal MISP references
UUID c3e571e8-9893-5e3c-ac6b-cd2cfdf353b7 which can be used as unique global reference for AZT502 - Account Creation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT502.1 - User Account Creation
An adversary may create an application & service principal in Azure Active Directory
Internal MISP references
UUID abfc6aa3-2201-5c2b-8c23-ac50a918d692 which can be used as unique global reference for AZT502.1 - User Account Creation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT502.2 - Service Principal Creation
An adversary may create an application & service principal in Azure Active Directory
Internal MISP references
UUID fa999394-eadd-550a-8d47-50cdc65abe9a which can be used as unique global reference for AZT502.2 - Service Principal Creation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT502.3 - Guest Account Creation
An adversary may create a guest account in Azure Active Directory
Internal MISP references
UUID 9f28935a-4eba-55bf-8f02-93ec6479bd31 which can be used as unique global reference for AZT502.3 - Guest Account Creation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT503 - HTTP Trigger
Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.
Internal MISP references
UUID fbdebeff-4c97-5576-8ca1-edc008c8d6f0 which can be used as unique global reference for AZT503 - HTTP Trigger in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.1 - Logic Application HTTP Trigger
Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
Internal MISP references
UUID a540c588-a229-5f06-8e55-aa9936d48d29 which can be used as unique global reference for AZT503.1 - Logic Application HTTP Trigger in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.2 - Function App HTTP Trigger
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
Internal MISP references
UUID 6e223830-9497-5d9d-9e64-2349d8fd7da3 which can be used as unique global reference for AZT503.2 - Function App HTTP Trigger in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.3 - Runbook Webhook
Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
Internal MISP references
UUID efe38e61-5580-5b23-b947-f93dfc1c6e1b which can be used as unique global reference for AZT503.3 - Runbook Webhook in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT503.4 - WebJob
Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule
Internal MISP references
UUID 3b5e2af6-1e38-562b-8969-048ad7a75262 which can be used as unique global reference for AZT503.4 - WebJob in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT504 - Watcher Tasks
By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.
Internal MISP references
UUID 94a052a1-83aa-588c-9d8e-1269e7e9eecf which can be used as unique global reference for AZT504 - Watcher Tasks in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT505 - Scheduled Jobs
Adversaries may create a schedule for a Runbook to run at a defined interval.
Internal MISP references
UUID 4818f3d9-39ae-58ba-8e3c-c38610473435 which can be used as unique global reference for AZT505 - Scheduled Jobs in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT506 - Network Security Group Modification
Adversaries can modify the rules in a Network Security Group to establish access over additional ports.
Internal MISP references
UUID b611390f-01b1-5043-8abd-0f37a1edcb14 which can be used as unique global reference for AZT506 - Network Security Group Modification in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT507 - External Entity Access
Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
Internal MISP references
UUID 1a35a003-3f49-560d-a54a-8acfbf203b97 which can be used as unique global reference for AZT507 - External Entity Access in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.1 - Azure Lighthouse
Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant
Internal MISP references
UUID dc904434-aac2-5509-8ecf-7ef7d1b22c28 which can be used as unique global reference for AZT507.1 - Azure Lighthouse in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.2 - Microsoft Partners
Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.
Internal MISP references
UUID 5f12fafa-7f63-5066-968c-d5d82d292623 which can be used as unique global reference for AZT507.2 - Microsoft Partners in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.3 - Subscription Hijack
An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.
Internal MISP references
UUID bcaad79d-3751-569b-97cc-cc21605a83bd which can be used as unique global reference for AZT507.3 - Subscription Hijack in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT507.4 - Domain Trust Modification
An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.
Internal MISP references
UUID 0c19e4bf-39f4-577e-a722-af289cbe594e which can be used as unique global reference for AZT507.4 - Domain Trust Modification in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT508 - Azure Policy
By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.
Internal MISP references
UUID 3f56cce5-bfd6-5cde-8e64-8142fcce23f4 which can be used as unique global reference for AZT508 - Azure Policy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Persistence'] |
AZT601 - Steal Managed Identity JsonWebToken
An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.
Internal MISP references
UUID 8c2dea2c-2bfd-53b0-aca5-1e6d3bf4b369 which can be used as unique global reference for AZT601 - Steal Managed Identity JsonWebToken in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.1 - Virtual Machine IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.
Internal MISP references
UUID e11c90b6-eba6-5f5a-93f6-7c7de1bdd104 which can be used as unique global reference for AZT601.1 - Virtual Machine IMDS Request in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.2 - Azure Kubernetes Service IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.
Internal MISP references
UUID 6c8935d7-037d-568d-86a6-2eeadf5ca385 which can be used as unique global reference for AZT601.2 - Azure Kubernetes Service IMDS Request in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.3 - Logic Application JWT PUT Request
If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.
Internal MISP references
UUID 36c2bbe2-07b7-5601-ae4a-0657a1c75895 which can be used as unique global reference for AZT601.3 - Logic Application JWT PUT Request in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.4 - Function Application JWT GET Request
If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.
Internal MISP references
UUID c64f2172-0dc5-5061-8128-c6c1fc59d3b3 which can be used as unique global reference for AZT601.4 - Function Application JWT GET Request in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT601.5 - Automation Account Runbook
If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.
Internal MISP references
UUID d369c182-37cb-55dd-bb0d-af57d277c051 which can be used as unique global reference for AZT601.5 - Automation Account Runbook in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT602 - Steal Service Principal Certificate
If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.
Internal MISP references
UUID 027b05da-cabb-507c-a4b5-3a6c73859390 which can be used as unique global reference for AZT602 - Steal Service Principal Certificate in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT603 - Service Principal Secret Reveal
If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.
Internal MISP references
UUID 84639ccb-77a5-532f-bdac-a9d347d92304 which can be used as unique global reference for AZT603 - Service Principal Secret Reveal in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604 - Azure KeyVault Dumping
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
Internal MISP references
UUID a23579ef-ddd3-5370-a2aa-2651f93b27d7 which can be used as unique global reference for AZT604 - Azure KeyVault Dumping in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604.1 - Azure KeyVault Secret Dump
By accessing an Azure Key Vault, an adversary may dump any or all secrets.
Internal MISP references
UUID cfcf7adc-3842-5186-9e6a-d595bcea09f7 which can be used as unique global reference for AZT604.1 - Azure KeyVault Secret Dump in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604.2 - Azure KeyVault Certificate Dump
By accessing an Azure Key Vault, an adversary may dump any or all certificates.
Internal MISP references
UUID 05e20b61-81d2-5b29-a7db-2ec6e84eae7e which can be used as unique global reference for AZT604.2 - Azure KeyVault Certificate Dump in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT604.3 - Azure KeyVault Key Dump
By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.
Internal MISP references
UUID 06ec5785-88db-51c1-88f3-f0e6eed32830 which can be used as unique global reference for AZT604.3 - Azure KeyVault Key Dump in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605 - Resource Secret Reveal
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
Internal MISP references
UUID ecc40a2a-a85d-5e60-9e21-dffe6d07d85f which can be used as unique global reference for AZT605 - Resource Secret Reveal in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605.1 - Storage Account Access Key Dumping
By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.
Internal MISP references
UUID 4c22fbc1-60b0-5f4a-af4f-8fc32edcfe8a which can be used as unique global reference for AZT605.1 - Storage Account Access Key Dumping in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605.2 - Automation Account Credential Secret Dump
By editing a Runbook, a credential configured in an Automation Account may be revealed
Internal MISP references
UUID 49ec3f4e-7185-5e89-9ac0-3b5b0547f7bd which can be used as unique global reference for AZT605.2 - Automation Account Credential Secret Dump in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT605.3 - Resource Group Deployment History Secret Dump
By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.
Internal MISP references
UUID 12c8ab19-5265-5ae3-8f16-bf35bc41f94e which can be used as unique global reference for AZT605.3 - Resource Group Deployment History Secret Dump in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Credential Access'] |
AZT701 - SAS URI Generation
By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.
Internal MISP references
UUID 9ca7b25c-643a-5e55-a210-684f49fe82d8 which can be used as unique global reference for AZT701 - SAS URI Generation in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT701.1 - VM Disk SAS URI
An adversary may create an SAS URI to download the disk attached to a virtual machine.
Internal MISP references
UUID 8805d880-8887-52b6-a113-8c0f4fec4230 which can be used as unique global reference for AZT701.1 - VM Disk SAS URI in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT701.2 - Storage Account File Share SAS
By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.
Internal MISP references
UUID aae55a3a-8e32-5a62-8d41-837b2ebb1e69 which can be used as unique global reference for AZT701.2 - Storage Account File Share SAS in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT702 - File Share Mounting
An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.
Internal MISP references
UUID dc6f9ee0-55b2-5197-87a5-7474cfc04d72 which can be used as unique global reference for AZT702 - File Share Mounting in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT703 - Replication
Internal MISP references
UUID ff4276bf-ab9e-5157-a171-5cdd4a3e6002 which can be used as unique global reference for AZT703 - Replication in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT704 - Soft-Delete Recovery
An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted
Internal MISP references
UUID 47ded49d-ef4c-57d4-8050-f66f884c4388 which can be used as unique global reference for AZT704 - Soft-Delete Recovery in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT704.1 - Key Vault
An adversary may recover a key vault object found in a 'soft deletion' state.
Internal MISP references
UUID d8fc76f2-6776-5a09-bfb3-57852ae1d786 which can be used as unique global reference for AZT704.1 - Key Vault in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT704.2 - Storage Account Object
An adversary may recover a storage account object found in a 'soft deletion' state.
Internal MISP references
UUID cd9f0082-b2c7-53f8-95a6-a4fe746f973e which can be used as unique global reference for AZT704.2 - Storage Account Object in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT704.3 - Recovery Services Vault
An adversary may recover a virtual machine object found in a 'soft deletion' state.
Internal MISP references
UUID d333405e-af82-555c-a68f-e723878b5f55 which can be used as unique global reference for AZT704.3 - Recovery Services Vault in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |
AZT705 - Azure Backup Delete
An adversary may recover a virtual machine object found in a 'soft deletion' state.
Internal MISP references
UUID 9d181c95-ccf7-5c94-8f4a-f6a2df62d760 which can be used as unique global reference for AZT705 - Azure Backup Delete in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| kill_chain | ['ATRM-tactics:Impact'] |