Skip to content

Hide Navigation Hide TOC

Edit

Azure Threat Research Matrix

The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

Authors
Authors and/or Contributors
AlertIQ
Craig Fretwell
Dor Edry
Jonny Johnson
Karl Fosaaen
MITRE ATT&CK
Manuel Berrueta
Microsoft
Nestori Syynimaa
Nikhil Mittal
Ram Pliskin
Roberto Rodriguez
Ryan Cobb

AZT101 - Port Mapping

It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface's assigned Network Security Group

Internal MISP references

UUID 2b95d14b-2af8-53d9-b72b-a15a966fcd7a which can be used as unique global reference for AZT101 - Port Mapping in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT101
kill_chain ['ATRM-tactics:Reconnaissance']

AZT102 - IP Discovery

It is possible to view the IP address on a resource by viewing the Virtual Network Interface

Internal MISP references

UUID 1c5cdaa4-3e58-5158-8027-7b08c0bd93de which can be used as unique global reference for AZT102 - IP Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT102
kill_chain ['ATRM-tactics:Reconnaissance']

AZT103 - Public Accessible Resource

A resource within Azure is accessible from the public internet.

Internal MISP references

UUID 6c6052f7-3d6b-503b-99b2-8c32e0ed44cf which can be used as unique global reference for AZT103 - Public Accessible Resource in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT103
kill_chain ['ATRM-tactics:Reconnaissance']

AZT104 - Gather User Information

An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user's roles and group memberships within AAD.

Internal MISP references

UUID df3fd847-3947-5ffa-9fc1-3482575a0796 which can be used as unique global reference for AZT104 - Gather User Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT104
kill_chain ['ATRM-tactics:Reconnaissance']

AZT105 - Gather Application Information

An adversary may obtain information about an application within Azure Active Directory.

Internal MISP references

UUID 9a3ef449-a40d-5f65-bbc1-1170dea045d5 which can be used as unique global reference for AZT105 - Gather Application Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT105
kill_chain ['ATRM-tactics:Reconnaissance']

AZT106 - Gather Role Information

An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.

Internal MISP references

UUID ce93d401-b5aa-55f2-942a-d06541dac19a which can be used as unique global reference for AZT106 - Gather Role Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT106
kill_chain ['ATRM-tactics:Reconnaissance']

AZT106.1 - Gather AAD Role Information

An adversary may gather role assignments within Azure Active Directory.

Internal MISP references

UUID b8fc3465-e7d8-5615-a625-f1835d3c313e which can be used as unique global reference for AZT106.1 - Gather AAD Role Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT106.1
kill_chain ['ATRM-tactics:Reconnaissance']

AZT106.2 - Gather Application Role Information

An adversary may gather information about an application role & it's member assignments within Azure Active Directory.

Internal MISP references

UUID 641e1474-3fa2-5851-9c5b-35bac592825e which can be used as unique global reference for AZT106.2 - Gather Application Role Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT106.2
kill_chain ['ATRM-tactics:Reconnaissance']

AZT106.3 - Gather Azure Resources Role Assignments

An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.

Internal MISP references

UUID 12374642-bb8b-5339-ae75-093390894e98 which can be used as unique global reference for AZT106.3 - Gather Azure Resources Role Assignments in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT106.3
kill_chain ['ATRM-tactics:Reconnaissance']

AZT107 - Gather Resource Data

An adversary may obtain information and data within a resource.

Internal MISP references

UUID 41439ad7-9877-532a-a289-3fff16707deb which can be used as unique global reference for AZT107 - Gather Resource Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT107
kill_chain ['ATRM-tactics:Reconnaissance']

AZT108 - Gather Victim Data

An adversary may access a user's personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.

Internal MISP references

UUID 08444afe-88de-50a9-8396-c9ca035afc22 which can be used as unique global reference for AZT108 - Gather Victim Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT108
kill_chain ['ATRM-tactics:Reconnaissance']

AZT201 - Valid Credentials

Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.

Internal MISP references

UUID 6ac38262-72d7-52a9-b450-a493ae97c7b4 which can be used as unique global reference for AZT201 - Valid Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT201
kill_chain ['ATRM-tactics:Initial Access', 'ATRM-tactics:Privilege Escalation', 'ATRM-tactics:Persistence']

AZT201.1 - User Account

By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.

Internal MISP references

UUID 6782f12a-7221-5a47-9aae-5eef4e030a02 which can be used as unique global reference for AZT201.1 - User Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT201.1
kill_chain ['ATRM-tactics:Initial Access']

AZT201.2 - Service Principal

By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.

Internal MISP references

UUID 30478a5c-82fc-5172-8129-0ece37005762 which can be used as unique global reference for AZT201.2 - Service Principal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT201.2
kill_chain ['ATRM-tactics:Initial Access']

AZT202 - Password Spraying

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

Internal MISP references

UUID fab95406-0d7c-5239-bb94-38e1ca52a70a which can be used as unique global reference for AZT202 - Password Spraying in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT202
kill_chain ['ATRM-tactics:Initial Access']

An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.

Internal MISP references

UUID 8a01a6ea-9fbb-518b-bae0-bafc27a54966 which can be used as unique global reference for AZT203 - Malicious Application Consent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT203
kill_chain ['ATRM-tactics:Initial Access']

AZT301 - Virtual Machine Scripting

Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.

Internal MISP references

UUID ac69d8a0-d616-5580-95a5-5abef15c8b81 which can be used as unique global reference for AZT301 - Virtual Machine Scripting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301
kill_chain ['ATRM-tactics:Execution']

AZT301.1 - RunCommand

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass: Windows: PowerShell commands to the VM as SYSTEM. Linux: Shell commands to the VM as root.

Internal MISP references

UUID 9369194c-c4d6-5df4-aab1-93c1b3c631c2 which can be used as unique global reference for AZT301.1 - RunCommand in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.1
kill_chain ['ATRM-tactics:Execution']

AZT301.2 - CustomScriptExtension

By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

Internal MISP references

UUID 04ee0b6c-40dd-5e71-8825-b4ac9acdb0de which can be used as unique global reference for AZT301.2 - CustomScriptExtension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.2
kill_chain ['ATRM-tactics:Execution']

AZT301.3 - Desired State Configuration

By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

Internal MISP references

UUID 40233909-2e71-5884-95e6-79b2a06ffa46 which can be used as unique global reference for AZT301.3 - Desired State Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.3
kill_chain ['ATRM-tactics:Execution']

By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.

Internal MISP references

UUID 74db1f38-d26b-576b-abac-b6b2ca53bcc8 which can be used as unique global reference for AZT301.4 - Compute Gallery Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.4
kill_chain ['ATRM-tactics:Execution']

AZT301.5 - AKS Command Invoke

By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM

Internal MISP references

UUID dd442218-8ee7-5601-9fae-9d5ab16fcf62 which can be used as unique global reference for AZT301.5 - AKS Command Invoke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.5
kill_chain ['ATRM-tactics:Execution']

AZT301.6 - Vmss Run Command

By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as: Windows: PowerShell commands to the VM as SYSTEM. Linux: Shell commands to the VM as root.

Internal MISP references

UUID 6d141243-f440-54bb-9de3-81b65a01faf4 which can be used as unique global reference for AZT301.6 - Vmss Run Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.6
kill_chain ['ATRM-tactics:Execution']

AZT301.7 - Serial Console

By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.

Internal MISP references

UUID b2f70558-6986-5dab-9a49-55fa5a1212bb which can be used as unique global reference for AZT301.7 - Serial Console in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT301.7
kill_chain ['ATRM-tactics:Execution']

AZT302 - Serverless Scripting

Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.

Internal MISP references

UUID 5ff07106-9f9e-5e52-9513-ccc856ea295a which can be used as unique global reference for AZT302 - Serverless Scripting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT302
kill_chain ['ATRM-tactics:Execution']

AZT302.1 - Automation Account Runbook Hybrid Worker Group

By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.

Internal MISP references

UUID 0b61dd42-24af-586a-b910-9c780c12d92a which can be used as unique global reference for AZT302.1 - Automation Account Runbook Hybrid Worker Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT302.1
kill_chain ['ATRM-tactics:Execution']

AZT302.2 - Automation Account Runbook RunAs Account

By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.

Internal MISP references

UUID 21851b3a-6fd8-563a-8a51-f8ec44313879 which can be used as unique global reference for AZT302.2 - Automation Account Runbook RunAs Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT302.2
kill_chain ['ATRM-tactics:Execution']

AZT302.3 - Automation Account Runbook Managed Identity

By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand (AZT301.1) if that service principal has the correct role and privileges.

Internal MISP references

UUID 69c9faf8-2f97-5be1-ac7c-446593e88089 which can be used as unique global reference for AZT302.3 - Automation Account Runbook Managed Identity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT302.3
kill_chain ['ATRM-tactics:Execution']

AZT302.4 - Function Application

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

Internal MISP references

UUID b38b17be-7adc-529d-8f75-378d5e298f5f which can be used as unique global reference for AZT302.4 - Function Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT302.4
kill_chain ['ATRM-tactics:Execution']

AZT303 - Managed Device Scripting

Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.

Internal MISP references

UUID 5f103828-8662-50b7-a7b3-faa546194729 which can be used as unique global reference for AZT303 - Managed Device Scripting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT303
kill_chain ['ATRM-tactics:Execution']

AZT401 - Privileged Identity Management Role

An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).

Internal MISP references

UUID 74deaa24-30f1-5642-a1e1-44c8cbea46a7 which can be used as unique global reference for AZT401 - Privileged Identity Management Role in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT401
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT402 - Elevated Access Toggle

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

Internal MISP references

UUID f264fd49-c9a1-5ada-ba42-b59cb609d656 which can be used as unique global reference for AZT402 - Elevated Access Toggle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT402
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT403 - Local Resource Hijack

By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.

Internal MISP references

UUID 9c190f8f-3ec2-5d7c-b19d-a8f5d40d826e which can be used as unique global reference for AZT403 - Local Resource Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT403
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT404 - Principal Impersonation

Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.

Internal MISP references

UUID adeea4ca-8ff0-5159-815d-4bd53b0d1877 which can be used as unique global reference for AZT404 - Principal Impersonation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT404
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT404.1 - Function Application

By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Internal MISP references

UUID 7ed04b40-029b-5eb0-8c3d-e021f47e6bfa which can be used as unique global reference for AZT404.1 - Function Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT404.1
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT404.2 - Logic Application

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Internal MISP references

UUID a7bf6734-eae0-53d0-8356-be438c3909eb which can be used as unique global reference for AZT404.2 - Logic Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT404.2
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT404.3 - Automation Account

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

Internal MISP references

UUID d1694a7f-8497-5ce6-b426-b65728778bc2 which can be used as unique global reference for AZT404.3 - Automation Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT404.3
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT404.4 - App Service

By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Internal MISP references

UUID a69ea209-9156-5cfd-8190-c8e7c0d667bc which can be used as unique global reference for AZT404.4 - App Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT404.4
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT405 - Azure AD Application

Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.

Internal MISP references

UUID 67271cac-5189-56b2-86e3-a40879107eca which can be used as unique global reference for AZT405 - Azure AD Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT405
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT405.1 - Application API Permissions

By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.

Internal MISP references

UUID f46e3cf1-d5d4-540e-b96d-d46ca6c092b9 which can be used as unique global reference for AZT405.1 - Application API Permissions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT405.1
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT405.2 - Application Role

By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.

Internal MISP references

UUID b00aa43b-033e-5c73-a558-adaf16391169 which can be used as unique global reference for AZT405.2 - Application Role in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT405.2
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT405.3 - Application Registration Owner

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

Internal MISP references

UUID c9012720-805b-5765-bb19-117b8844fff7 which can be used as unique global reference for AZT405.3 - Application Registration Owner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT405.3
kill_chain ['ATRM-tactics:Privilege Escalation']

AZT501 - Account Manipulation

An adverary may manipulate an account to maintain access in an Azure tenant

Internal MISP references

UUID 63bdb79b-02b5-53f5-84cd-7af94c28b5f8 which can be used as unique global reference for AZT501 - Account Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT501
kill_chain ['ATRM-tactics:Persistence']

AZT501.1 - User Account Manipulation

An adverary may manipulate a user account to maintain access in an Azure tenant

Internal MISP references

UUID 76b94161-b0c4-58e9-8f2e-38c53e72af71 which can be used as unique global reference for AZT501.1 - User Account Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT501.1
kill_chain ['ATRM-tactics:Persistence']

AZT501.2 - Service Principal Manipulation

An adverary may manipulate a service principal to maintain access in an Azure tenant

Internal MISP references

UUID 011f820f-cb51-5118-b491-6b533f907c64 which can be used as unique global reference for AZT501.2 - Service Principal Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT501.2
kill_chain ['ATRM-tactics:Persistence']

AZT501.3 - Azure VM Local Administrator Manipulation

An adverary may manipulate the local admin account on an Azure VM

Internal MISP references

UUID a9e76b8d-9a2e-5635-8d31-2f2782f1b4b1 which can be used as unique global reference for AZT501.3 - Azure VM Local Administrator Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT501.3
kill_chain ['ATRM-tactics:Persistence']

AZT502 - Account Creation

An adversary may create an account in Azure Active Directory.

Internal MISP references

UUID c3e571e8-9893-5e3c-ac6b-cd2cfdf353b7 which can be used as unique global reference for AZT502 - Account Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT502
kill_chain ['ATRM-tactics:Persistence']

AZT502.1 - User Account Creation

An adversary may create an application & service principal in Azure Active Directory

Internal MISP references

UUID abfc6aa3-2201-5c2b-8c23-ac50a918d692 which can be used as unique global reference for AZT502.1 - User Account Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT502.1
kill_chain ['ATRM-tactics:Persistence']

AZT502.2 - Service Principal Creation

An adversary may create an application & service principal in Azure Active Directory

Internal MISP references

UUID fa999394-eadd-550a-8d47-50cdc65abe9a which can be used as unique global reference for AZT502.2 - Service Principal Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT502.2
kill_chain ['ATRM-tactics:Persistence']

AZT502.3 - Guest Account Creation

An adversary may create a guest account in Azure Active Directory

Internal MISP references

UUID 9f28935a-4eba-55bf-8f02-93ec6479bd31 which can be used as unique global reference for AZT502.3 - Guest Account Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT502.3
kill_chain ['ATRM-tactics:Persistence']

AZT503 - HTTP Trigger

Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.

Internal MISP references

UUID fbdebeff-4c97-5576-8ca1-edc008c8d6f0 which can be used as unique global reference for AZT503 - HTTP Trigger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT503
kill_chain ['ATRM-tactics:Persistence']

AZT503.1 - Logic Application HTTP Trigger

Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

Internal MISP references

UUID a540c588-a229-5f06-8e55-aa9936d48d29 which can be used as unique global reference for AZT503.1 - Logic Application HTTP Trigger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT503.1
kill_chain ['ATRM-tactics:Persistence']

AZT503.2 - Function App HTTP Trigger

Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

Internal MISP references

UUID 6e223830-9497-5d9d-9e64-2349d8fd7da3 which can be used as unique global reference for AZT503.2 - Function App HTTP Trigger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT503.2
kill_chain ['ATRM-tactics:Persistence']

AZT503.3 - Runbook Webhook

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

Internal MISP references

UUID efe38e61-5580-5b23-b947-f93dfc1c6e1b which can be used as unique global reference for AZT503.3 - Runbook Webhook in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT503.3
kill_chain ['ATRM-tactics:Persistence']

AZT503.4 - WebJob

Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule

Internal MISP references

UUID 3b5e2af6-1e38-562b-8969-048ad7a75262 which can be used as unique global reference for AZT503.4 - WebJob in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT503.4
kill_chain ['ATRM-tactics:Persistence']

AZT504 - Watcher Tasks

By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.

Internal MISP references

UUID 94a052a1-83aa-588c-9d8e-1269e7e9eecf which can be used as unique global reference for AZT504 - Watcher Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT504
kill_chain ['ATRM-tactics:Persistence']

AZT505 - Scheduled Jobs

Adversaries may create a schedule for a Runbook to run at a defined interval.

Internal MISP references

UUID 4818f3d9-39ae-58ba-8e3c-c38610473435 which can be used as unique global reference for AZT505 - Scheduled Jobs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT505
kill_chain ['ATRM-tactics:Persistence']

AZT506 - Network Security Group Modification

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

Internal MISP references

UUID b611390f-01b1-5043-8abd-0f37a1edcb14 which can be used as unique global reference for AZT506 - Network Security Group Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT506
kill_chain ['ATRM-tactics:Persistence']

AZT507 - External Entity Access

Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.

Internal MISP references

UUID 1a35a003-3f49-560d-a54a-8acfbf203b97 which can be used as unique global reference for AZT507 - External Entity Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT507
kill_chain ['ATRM-tactics:Persistence']

AZT507.1 - Azure Lighthouse

Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant

Internal MISP references

UUID dc904434-aac2-5509-8ecf-7ef7d1b22c28 which can be used as unique global reference for AZT507.1 - Azure Lighthouse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT507.1
kill_chain ['ATRM-tactics:Persistence']

AZT507.2 - Microsoft Partners

Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.

Internal MISP references

UUID 5f12fafa-7f63-5066-968c-d5d82d292623 which can be used as unique global reference for AZT507.2 - Microsoft Partners in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT507.2
kill_chain ['ATRM-tactics:Persistence']

AZT507.3 - Subscription Hijack

An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.

Internal MISP references

UUID bcaad79d-3751-569b-97cc-cc21605a83bd which can be used as unique global reference for AZT507.3 - Subscription Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT507.3
kill_chain ['ATRM-tactics:Persistence']

AZT507.4 - Domain Trust Modification

An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.

Internal MISP references

UUID 0c19e4bf-39f4-577e-a722-af289cbe594e which can be used as unique global reference for AZT507.4 - Domain Trust Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT507.4
kill_chain ['ATRM-tactics:Persistence']

AZT508 - Azure Policy

By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.

Internal MISP references

UUID 3f56cce5-bfd6-5cde-8e64-8142fcce23f4 which can be used as unique global reference for AZT508 - Azure Policy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT508
kill_chain ['ATRM-tactics:Persistence']

AZT601 - Steal Managed Identity JsonWebToken

An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.

Internal MISP references

UUID 8c2dea2c-2bfd-53b0-aca5-1e6d3bf4b369 which can be used as unique global reference for AZT601 - Steal Managed Identity JsonWebToken in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT601
kill_chain ['ATRM-tactics:Credential Access']

AZT601.1 - Virtual Machine IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.

Internal MISP references

UUID e11c90b6-eba6-5f5a-93f6-7c7de1bdd104 which can be used as unique global reference for AZT601.1 - Virtual Machine IMDS Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT601.1
kill_chain ['ATRM-tactics:Credential Access']

AZT601.2 - Azure Kubernetes Service IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.

Internal MISP references

UUID 6c8935d7-037d-568d-86a6-2eeadf5ca385 which can be used as unique global reference for AZT601.2 - Azure Kubernetes Service IMDS Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT601.2
kill_chain ['ATRM-tactics:Credential Access']

AZT601.3 - Logic Application JWT PUT Request

If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.

Internal MISP references

UUID 36c2bbe2-07b7-5601-ae4a-0657a1c75895 which can be used as unique global reference for AZT601.3 - Logic Application JWT PUT Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT601.3
kill_chain ['ATRM-tactics:Credential Access']

AZT601.4 - Function Application JWT GET Request

If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.

Internal MISP references

UUID c64f2172-0dc5-5061-8128-c6c1fc59d3b3 which can be used as unique global reference for AZT601.4 - Function Application JWT GET Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT601.4
kill_chain ['ATRM-tactics:Credential Access']

AZT601.5 - Automation Account Runbook

If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.

Internal MISP references

UUID d369c182-37cb-55dd-bb0d-af57d277c051 which can be used as unique global reference for AZT601.5 - Automation Account Runbook in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT601.5
kill_chain ['ATRM-tactics:Credential Access']

AZT602 - Steal Service Principal Certificate

If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.

Internal MISP references

UUID 027b05da-cabb-507c-a4b5-3a6c73859390 which can be used as unique global reference for AZT602 - Steal Service Principal Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT602
kill_chain ['ATRM-tactics:Credential Access']

AZT603 - Service Principal Secret Reveal

If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.

Internal MISP references

UUID 84639ccb-77a5-532f-bdac-a9d347d92304 which can be used as unique global reference for AZT603 - Service Principal Secret Reveal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT603
kill_chain ['ATRM-tactics:Credential Access']

AZT604 - Azure KeyVault Dumping

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

Internal MISP references

UUID a23579ef-ddd3-5370-a2aa-2651f93b27d7 which can be used as unique global reference for AZT604 - Azure KeyVault Dumping in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT604
kill_chain ['ATRM-tactics:Credential Access']

AZT604.1 - Azure KeyVault Secret Dump

By accessing an Azure Key Vault, an adversary may dump any or all secrets.

Internal MISP references

UUID cfcf7adc-3842-5186-9e6a-d595bcea09f7 which can be used as unique global reference for AZT604.1 - Azure KeyVault Secret Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT604.1
kill_chain ['ATRM-tactics:Credential Access']

AZT604.2 - Azure KeyVault Certificate Dump

By accessing an Azure Key Vault, an adversary may dump any or all certificates.

Internal MISP references

UUID 05e20b61-81d2-5b29-a7db-2ec6e84eae7e which can be used as unique global reference for AZT604.2 - Azure KeyVault Certificate Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT604.2
kill_chain ['ATRM-tactics:Credential Access']

AZT604.3 - Azure KeyVault Key Dump

By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.

Internal MISP references

UUID 06ec5785-88db-51c1-88f3-f0e6eed32830 which can be used as unique global reference for AZT604.3 - Azure KeyVault Key Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT604.3
kill_chain ['ATRM-tactics:Credential Access']

AZT605 - Resource Secret Reveal

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

Internal MISP references

UUID ecc40a2a-a85d-5e60-9e21-dffe6d07d85f which can be used as unique global reference for AZT605 - Resource Secret Reveal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT605
kill_chain ['ATRM-tactics:Credential Access']

AZT605.1 - Storage Account Access Key Dumping

By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.

Internal MISP references

UUID 4c22fbc1-60b0-5f4a-af4f-8fc32edcfe8a which can be used as unique global reference for AZT605.1 - Storage Account Access Key Dumping in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT605.1
kill_chain ['ATRM-tactics:Credential Access']

AZT605.2 - Automation Account Credential Secret Dump

By editing a Runbook, a credential configured in an Automation Account may be revealed

Internal MISP references

UUID 49ec3f4e-7185-5e89-9ac0-3b5b0547f7bd which can be used as unique global reference for AZT605.2 - Automation Account Credential Secret Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT605.2
kill_chain ['ATRM-tactics:Credential Access']

AZT605.3 - Resource Group Deployment History Secret Dump

By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.

Internal MISP references

UUID 12c8ab19-5265-5ae3-8f16-bf35bc41f94e which can be used as unique global reference for AZT605.3 - Resource Group Deployment History Secret Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT605.3
kill_chain ['ATRM-tactics:Credential Access']

AZT701 - SAS URI Generation

By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.

Internal MISP references

UUID 9ca7b25c-643a-5e55-a210-684f49fe82d8 which can be used as unique global reference for AZT701 - SAS URI Generation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT701
kill_chain ['ATRM-tactics:Impact']

AZT701.1 - VM Disk SAS URI

An adversary may create an SAS URI to download the disk attached to a virtual machine.

Internal MISP references

UUID 8805d880-8887-52b6-a113-8c0f4fec4230 which can be used as unique global reference for AZT701.1 - VM Disk SAS URI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT701.1
kill_chain ['ATRM-tactics:Impact']

AZT701.2 - Storage Account File Share SAS

By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.

Internal MISP references

UUID aae55a3a-8e32-5a62-8d41-837b2ebb1e69 which can be used as unique global reference for AZT701.2 - Storage Account File Share SAS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT701.2
kill_chain ['ATRM-tactics:Impact']

AZT702 - File Share Mounting

An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.

Internal MISP references

UUID dc6f9ee0-55b2-5197-87a5-7474cfc04d72 which can be used as unique global reference for AZT702 - File Share Mounting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT702
kill_chain ['ATRM-tactics:Impact']

AZT703 - Replication

Internal MISP references

UUID ff4276bf-ab9e-5157-a171-5cdd4a3e6002 which can be used as unique global reference for AZT703 - Replication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT703
kill_chain ['ATRM-tactics:Impact']

AZT704 - Soft-Delete Recovery

An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted

Internal MISP references

UUID 47ded49d-ef4c-57d4-8050-f66f884c4388 which can be used as unique global reference for AZT704 - Soft-Delete Recovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT704
kill_chain ['ATRM-tactics:Impact']

AZT704.1 - Key Vault

An adversary may recover a key vault object found in a 'soft deletion' state.

Internal MISP references

UUID d8fc76f2-6776-5a09-bfb3-57852ae1d786 which can be used as unique global reference for AZT704.1 - Key Vault in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT704.1
kill_chain ['ATRM-tactics:Impact']

AZT704.2 - Storage Account Object

An adversary may recover a storage account object found in a 'soft deletion' state.

Internal MISP references

UUID cd9f0082-b2c7-53f8-95a6-a4fe746f973e which can be used as unique global reference for AZT704.2 - Storage Account Object in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT704.2
kill_chain ['ATRM-tactics:Impact']

AZT704.3 - Recovery Services Vault

An adversary may recover a virtual machine object found in a 'soft deletion' state.

Internal MISP references

UUID d333405e-af82-555c-a68f-e723878b5f55 which can be used as unique global reference for AZT704.3 - Recovery Services Vault in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT704.3
kill_chain ['ATRM-tactics:Impact']

AZT705 - Azure Backup Delete

An adversary may recover a virtual machine object found in a 'soft deletion' state.

Internal MISP references

UUID 9d181c95-ccf7-5c94-8f4a-f6a2df62d760 which can be used as unique global reference for AZT705 - Azure Backup Delete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AZT705
kill_chain ['ATRM-tactics:Impact']