{ "type": "bundle", "id": "bundle--13497c17-0403-43db-af6e-734a70193641", "objects": [ { "type": "x-mitre-collection", "spec_version": "2.1", "id": "x-mitre-collection--6aaadb00-2dbf-450a-a3e8-d4c6c5309639", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T17:49:20.000Z", "modified": "2024-05-08T16:40:24.46637Z", "name": "Azure Threat Research Matrix", "description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contents": [ { "object_ref": "x-mitre-tactic--467446fb-ffef-4171-a753-672f71b90bf1", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "x-mitre-tactic--f7b60851-228c-4eb9-b8ec-dbc78ca17b00", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "x-mitre-tactic--cd6f8a9e-610b-4dbd-a043-b362ad9e838d", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "x-mitre-tactic--cddfc9a2-bc7d-496c-9a45-2d8a7c5931ef", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "x-mitre-tactic--f22aa093-be62-4f85-9400-51ebbacb0465", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "x-mitre-tactic--67fe57e8-d611-428d-809f-3bb6cc658b27", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "x-mitre-tactic--1186c3fa-50bd-4ecf-985f-e1d4ec838597", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--b37be322-071d-4cf4-a3e4-58ccbbde0651", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--245ab752-440d-4dea-bf7d-da2b74f973b9", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--d4e07f5a-be7e-4679-9972-82c856ab962b", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--4a80d9ca-2d8d-430d-bfc8-fe33d96b88db", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--d008ea05-fa05-4ad0-8bf0-dc558aab5b61", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--eb7e756f-48d6-4b4e-9690-2fcaf1832a61", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--c30c8a90-4233-4b2e-8958-9babd82c5c44", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--68b8f6f6-de3d-45c5-a3e9-2b2d7582c56d", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--17205c36-7049-4adb-95ef-b8fe975cc8a6", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--3f9cb872-3eda-438e-a00f-8c51810c8c09", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--5b12e0bb-8afb-41ae-905e-4672d5c843d3", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--28e4d596-ec98-4388-a84c-7e96c8e20971", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--2a44f2b6-6a81-433c-949b-cb0b31498597", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--5caa2813-1c7c-4369-bc0e-822ea3b1efe8", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--39df1e22-763b-4eec-8b05-dcc8b063b9a0", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--3b276a89-8c5e-41a0-ad12-e1267cb80905", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--2b01e017-6833-45b4-9e8e-20d1c9d057e9", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--1185f52e-b6e8-4d28-a0bc-b537d444cb02", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--22de8bda-0779-43ea-aa80-b13c350b10d4", "object_modified": "2023-06-20T15:00:42.000Z" }, { "object_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--2b66fdb9-8172-4170-9a9e-2f19a2e5e872", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--023ef082-9c29-4f35-9272-afd9e8b4b5a7", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--1a0cb6f2-1b7b-486a-a1e0-f0d0ef9ded9f", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--3e326ae2-bfb0-4356-94e9-5a6e5f879499", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--1b97df8e-02d8-46d1-adf6-77f64da597aa", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--a13033cd-44e7-458e-b224-2c2845989aa3", "object_modified": "2024-02-04T22:12:32.000Z" }, { "object_ref": "attack-pattern--f0b13df7-5413-407e-a4d5-da818e6076b8", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--c04cc82a-43f7-42af-8af9-ca68f98c41a6", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--5516905e-6245-4fd9-a5e7-1895d08abeeb", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--66df50e7-0cad-496d-8f41-ff3f8968b13d", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--7ac3a13d-9942-4024-9059-c01159ebbcf2", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--7e0ed059-1a34-4b94-85c1-63ad500c7540", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--f54ef0fa-5aeb-4e79-8feb-be322dd70276", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--a35935c7-b634-4850-8d06-975abd071bc9", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--d769bc8e-7435-4eb4-84c6-28b8ee04d992", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--8fc6ab58-2df3-416b-80a1-0981de6193d3", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--57bc72ed-f2c3-4cb3-8e65-32b48c4aee4e", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--d1eab55d-abe6-4c51-8f40-c1e33d7073ab", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--df563b0f-982f-484b-9815-f6dc5f576c54", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--2c934711-c17e-4656-a2a6-9b234b4b3da2", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--f0084736-a06d-4abc-9a7d-c4b7ce4deb6b", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--49fef13f-f32b-4921-8954-ea2583d2d1c0", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--15985050-354f-4451-a37f-c65702519236", "object_modified": "2023-06-12T03:25:08.000Z" }, { "object_ref": "attack-pattern--a6b33d81-9171-40e4-b69b-520f9bf2d3f0", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--c385f414-7beb-4afd-a98b-6cf06be57952", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--b252a6b8-98b2-4661-86bd-d0195dca0d06", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--7e5a1d29-de9c-4815-a7c6-1dcd85426063", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--1a8a7025-e0e0-40e7-bffa-8a43800a8c2d", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--b64f3fef-9e49-4ae9-9491-86969c146584", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--8086013b-43e7-4c10-9b7b-f1e37e218285", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--b2973dea-b075-4ba8-9d5a-00bc59f74854", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--3fa17565-09b3-4e6f-a26e-991585a4ffa4", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--c7beca4f-74b7-48d0-b2a0-f723e0f984ed", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--e1af424a-0030-46c5-b276-4ce3febb67fc", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--2e583c50-a05f-4ebf-8d30-b62441eeadb2", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--29fb344c-bfdf-4f2b-bafb-b094622d5195", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--e730f8d7-9188-4641-9036-40060610dae9", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--fea6dbf6-00da-4251-985c-3cb72df04ac4", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--c093de82-06d4-4c44-adfa-41bd6d17890f", "object_modified": "2024-02-04T22:12:32.000Z" }, { "object_ref": "attack-pattern--79c9715a-99c2-4498-a9e4-d91fbe9c1db9", "object_modified": "2022-08-18T19:04:59.000Z" }, { "object_ref": "attack-pattern--accdf079-d8e0-4cd2-b30d-4b2423bcbbf2", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--4120d712-becb-4525-8281-b79d799e8b11", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--92feebf8-823d-49cb-807e-3c45bdb3edde", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--0af2f022-bbf3-4168-9570-4fe884e440ee", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--fbfa6881-a615-4863-910e-ee44464ec8e9", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--c145f009-cd7d-407c-81d7-05f46bf6b8a8", "object_modified": "2023-06-12T03:33:04.000Z" }, { "object_ref": "attack-pattern--f1de0b16-286f-45f2-9e01-558e4e2fa4d9", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--7ce417b0-82d6-40af-821c-50afd52ab2a1", "object_modified": "2023-06-12T03:27:03.000Z" }, { "object_ref": "attack-pattern--18dfc361-e77b-469a-ae83-dff3e0eb57e9", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--b7add753-c3ca-409b-b244-7ccf3dfcdfdb", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--860c42ef-bb44-4de5-9ab4-1d2dde128758", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--6b338d24-50e2-474b-acc3-3ba761b525d8", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--655d8452-5dba-4f9e-bda8-b571432d5382", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--dd77ebc4-d327-4612-8f33-c099eb1e8573", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--956f07dd-3949-4c79-8e78-42805378ec74", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--82e5e173-9ed7-404b-a58a-3718c93c5628", "object_modified": "2022-08-18T19:04:59.000Z" }, { "object_ref": "attack-pattern--84932e4b-3ef0-490e-becf-36c9c4abd888", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--215bc946-0066-430c-9a6b-f2e7685a7b65", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--89caf13e-9bf3-483e-8372-36f4da264374", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--da39f9b2-3fc3-4858-9e64-fa587a26a2bd", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--9c0cd0fe-d904-4be3-a01c-a48c84bdb6f9", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--9dd00955-ecdd-4e3f-b074-41542605300d", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "object_modified": "2022-07-29T18:07:09.000Z" }, { "object_ref": "attack-pattern--63fb52b3-ed25-41b3-b90a-1eeea7737e9a", "object_modified": "2023-06-12T03:16:53.000Z" }, { "object_ref": "attack-pattern--576338cb-56b7-408c-a727-2ec68286eaad", "object_modified": "2023-06-12T03:08:06.000Z" }, { "object_ref": "attack-pattern--3bdb828a-caf8-4617-8e33-fd4d174f650a", "object_modified": "2024-02-04T22:12:32.000Z" }, { "object_ref": "attack-pattern--16066262-455e-4fa5-bb9c-28bca4df3105", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--d5c5cadd-e0e8-4f42-8b66-49b5af079f2c", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--a941dc49-6970-491b-9ba3-e94934094c79", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--82654405-9968-4dcc-abfa-41eb3681f042", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--b564bf40-14c7-4607-b91a-9fe03b6938b2", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--260d8064-bcf3-4bac-9a59-5f77ce2b9a48", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--95039596-fc1d-440f-906e-a71a4e47a602", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--a87d582b-e5f2-4880-bbe3-521c922892c8", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--5150e731-4d58-4daa-9601-a79ba66beedb", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--20dcfb35-9aa6-4995-b272-d4334960c6e2", "object_modified": "2024-02-04T23:05:59.000Z" }, { "object_ref": "attack-pattern--d754cd69-458a-4ad7-899c-90479f6223db", "object_modified": "2023-09-05T15:58:57.000Z" }, { "object_ref": "attack-pattern--dfc2b6af-2dc4-4dc9-b3b5-b8df9802c8ba", "object_modified": "2023-09-05T19:05:13.000Z" }, { "object_ref": "relationship--6361841d-5e52-418f-a473-7dc3835343a9", "object_modified": "2024-05-08T13:40:24.437669Z" }, { "object_ref": "relationship--64fd6a40-3a0c-4669-b9e9-3c80c3f09795", "object_modified": "2024-05-08T13:40:24.437766Z" }, { "object_ref": "relationship--afc13b1f-978b-4a6d-913a-250b78f48a5a", "object_modified": "2024-05-08T13:40:24.437837Z" }, { "object_ref": "relationship--bf91d985-7913-4ca9-86ee-3b04243216be", "object_modified": "2024-05-08T13:40:24.437903Z" }, { "object_ref": "relationship--82e69bfa-b448-4c7b-b6cb-1be4d3ef2bc8", "object_modified": "2024-05-08T13:40:24.437977Z" }, { "object_ref": "relationship--c092d64d-604f-4196-b8e3-ae89a7e187a6", "object_modified": "2024-05-08T13:40:24.438047Z" }, { "object_ref": "relationship--cef5495e-b55a-4a74-8d14-3b544299208a", "object_modified": "2024-05-08T13:40:24.438113Z" }, { "object_ref": "relationship--4d941fa3-d0a0-4a39-8bcf-4b7141e435d7", "object_modified": "2024-05-08T13:40:24.438177Z" }, { "object_ref": "relationship--5a740440-81b6-4f34-a467-70c563761abe", "object_modified": "2024-05-08T13:40:24.43824Z" }, { "object_ref": "relationship--10a70442-d32b-4e5b-ab4e-a558b7e63222", "object_modified": "2024-05-08T13:40:24.438302Z" }, { "object_ref": "relationship--8fa945c6-df0a-49a6-b466-366e04a724f1", "object_modified": "2024-05-08T13:40:24.43836Z" }, { "object_ref": "relationship--efb9d6a3-375b-4adb-a5af-0eb787403aad", "object_modified": "2024-05-08T13:40:24.438419Z" }, { "object_ref": "relationship--bd6fa56f-0b83-4e52-b1d7-cf3ce1d88412", "object_modified": "2024-05-08T13:40:24.438482Z" }, { "object_ref": "relationship--2378c0d2-4f85-45c6-99ea-549510d90fc9", "object_modified": "2024-05-08T13:40:24.43854Z" }, { "object_ref": "relationship--49a600be-3355-4c86-b9c8-39040ed33c4b", "object_modified": "2024-05-08T13:40:24.438598Z" }, { "object_ref": "relationship--a7f2fa4d-3843-405b-bb32-109df4a11911", "object_modified": "2024-05-08T13:40:24.438673Z" }, { "object_ref": "relationship--639cc3df-40fb-48fa-9888-2ee7ae5254f1", "object_modified": "2024-05-08T13:40:24.438733Z" }, { "object_ref": "relationship--80c08439-a7be-441d-a893-8edcdffeea04", "object_modified": "2024-05-08T13:40:24.438791Z" }, { "object_ref": "relationship--b6c701ed-d896-42cf-a784-7fe914d86d80", "object_modified": "2024-05-08T13:40:24.438854Z" }, { "object_ref": "relationship--8be647c3-91de-4458-9af2-6bf4cdad1934", "object_modified": "2024-05-08T13:40:24.438917Z" }, { "object_ref": "relationship--5c8c9db2-c2e9-4c7a-b908-53d9acd2c80b", "object_modified": "2024-05-08T13:40:24.438983Z" }, { "object_ref": "relationship--b46f54be-79ee-472e-bcae-1b430b4490f9", "object_modified": "2024-05-08T13:40:24.439043Z" }, { "object_ref": "relationship--1face7db-c42a-489a-8dd9-4bb792ccfee7", "object_modified": "2024-05-08T13:40:24.4391Z" }, { "object_ref": "relationship--2e23d8cb-84c6-4b71-9d40-9d9f78cd5bd3", "object_modified": "2024-05-08T13:40:24.439157Z" }, { "object_ref": "relationship--fb8d22f4-25fe-4b94-bf9f-c7ce1cc9348d", "object_modified": "2024-05-08T13:40:24.439214Z" }, { "object_ref": "relationship--85e07c8b-3d7d-4eac-b4ef-508c04a24d7e", "object_modified": "2024-05-08T13:40:24.439272Z" }, { "object_ref": "relationship--d38eab0a-066a-4b46-a8f4-1673855a408f", "object_modified": "2024-05-08T13:40:24.439331Z" }, { "object_ref": "relationship--9929bc24-df31-4298-8db9-8ca10fc761d7", "object_modified": "2024-05-08T13:40:24.439388Z" }, { "object_ref": "relationship--dc243c20-7015-49e5-848c-0b3b033bb116", "object_modified": "2024-05-08T13:40:24.439446Z" }, { "object_ref": "relationship--54adc5f6-567b-42b2-810e-67d3ea9ba429", "object_modified": "2024-05-08T13:40:24.439507Z" }, { "object_ref": "relationship--b4663c8c-eac6-4f2f-89c6-c2cdfdb8e05c", "object_modified": "2024-05-08T13:40:24.439564Z" }, { "object_ref": "relationship--795f40ab-ddf2-4205-8018-36e6d69996d4", "object_modified": "2024-05-08T13:40:24.43963Z" }, { "object_ref": "relationship--89d88c87-4c39-4c68-be04-c0a02c99e098", "object_modified": "2024-05-08T13:40:24.43969Z" }, { "object_ref": "relationship--fcd3e9b2-505c-4cf7-bf45-e2374cef2c40", "object_modified": "2024-05-08T13:40:24.439747Z" }, { "object_ref": "relationship--3303abd0-eff0-4054-aef4-db5b528bace8", "object_modified": "2024-05-08T13:40:24.439831Z" }, { "object_ref": "relationship--565ccf1c-29d0-4ded-9cec-b916072ee06b", "object_modified": "2024-05-08T13:40:24.439926Z" }, { "object_ref": "relationship--cbdecd97-646b-488c-b3c2-725b9fdbc0a4", "object_modified": "2024-05-08T13:40:24.440006Z" }, { "object_ref": "relationship--1f2009a1-50de-4c10-9126-9d2c192c1fb3", "object_modified": "2024-05-08T13:40:24.440073Z" }, { "object_ref": "relationship--e2c2ee24-b95b-4fb2-9993-c3f050b4138c", "object_modified": "2024-05-08T13:40:24.440133Z" }, { "object_ref": "relationship--6c88db58-9ecb-4ba1-8fa0-c31a6100e496", "object_modified": "2024-05-08T13:40:24.440197Z" }, { "object_ref": "relationship--153130d5-3fca-4b77-a795-a8f312671187", "object_modified": "2024-05-08T13:40:24.440258Z" }, { "object_ref": "relationship--37016b93-44b9-4e77-9b12-98965fc8a4a4", "object_modified": "2024-05-08T13:40:24.440322Z" }, { "object_ref": "relationship--f82ca1d2-ff88-4dd7-a6de-2264ae3c46d9", "object_modified": "2024-05-08T13:40:24.44038Z" }, { "object_ref": "relationship--e64df2f6-1181-4934-b06f-bd9a2dd947f7", "object_modified": "2024-05-08T13:40:24.440447Z" }, { "object_ref": "relationship--62f88e6b-e44b-4de1-aa6b-85863d7588a0", "object_modified": "2024-05-08T13:40:24.440507Z" }, { "object_ref": "relationship--6b210d60-7454-4bbb-b85e-9955cd28d52b", "object_modified": "2024-05-08T13:40:24.440565Z" }, { "object_ref": "relationship--3b457cb0-b194-4fb5-9597-a0f8fbe183cc", "object_modified": "2024-05-08T13:40:24.44063Z" }, { "object_ref": "relationship--2e999b13-5ce5-42f8-8426-4168b0263a41", "object_modified": "2024-05-08T13:40:24.440688Z" }, { "object_ref": "relationship--bf68a74d-8bcb-4363-b972-af993f40c117", "object_modified": "2024-05-08T13:40:24.440747Z" }, { "object_ref": "relationship--e5ccf941-594e-45cb-806b-8bbcb6077327", "object_modified": "2024-05-08T13:40:24.440803Z" }, { "object_ref": "relationship--dbdc3012-5b20-40e4-b396-8d8d4596e0cb", "object_modified": "2024-05-08T13:40:24.44086Z" }, { "object_ref": "relationship--21f82448-d52f-45df-9b15-e88401aa0c8f", "object_modified": "2024-05-08T13:40:24.440921Z" }, { "object_ref": "relationship--ad61899f-b495-4599-83e7-3f7e3887171b", "object_modified": "2024-05-08T13:40:24.440978Z" }, { "object_ref": "relationship--eb2ee356-ecec-4b8a-bc80-c19ee951275f", "object_modified": "2024-05-08T13:40:24.441035Z" }, { "object_ref": "relationship--e3eeb92a-1ef4-4ecc-9069-2c6cf643a0e8", "object_modified": "2024-05-08T13:40:24.441097Z" }, { "object_ref": "relationship--4aeb872d-4516-4138-af95-9024221f5de2", "object_modified": "2024-05-08T13:40:24.441545Z" }, { "object_ref": "relationship--bb683d6f-3ce5-4ca5-9eef-399ee019b250", "object_modified": "2024-05-08T13:40:24.441623Z" }, { "object_ref": "relationship--4d4557fd-663d-4b18-bd7f-2f04d4592e63", "object_modified": "2024-05-08T13:40:24.441687Z" }, { "object_ref": "relationship--eb5008e9-d926-4aa0-bbd5-0d24d1badba9", "object_modified": "2024-05-08T13:40:24.441746Z" }, { "object_ref": "relationship--2fe4b893-c147-40bd-944f-ec4b1a6660af", "object_modified": "2024-05-08T13:40:24.441805Z" }, { "object_ref": "x-mitre-matrix--095911b6-fbdf-4da7-9ee4-2a27aee8c88f", "object_modified": "2024-05-08T16:40:24.453Z" }, { "object_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "object_modified": "2024-02-05T14:00:00.188Z" } ], "x_mitre_version": "0.1" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--467446fb-ffef-4171-a753-672f71b90bf1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/Reconnaissance", "external_id": "AZTA100" } ], "name": "Reconnaissance", "description": "The adversary is trying to gather information they can use to plan future operations.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "reconnaissance" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--f7b60851-228c-4eb9-b8ec-dbc78ca17b00", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T23:05:59.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/InitialAccess", "external_id": "AZTA200" } ], "name": "Initial Access", "description": "The adversary is attempting to gain access to an Azure Resource or Azure AD.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "initial-access" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--cd6f8a9e-610b-4dbd-a043-b362ad9e838d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/Execution", "external_id": "AZTA300" } ], "name": "Execution", "description": "The adversary is trying to run malicious code.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "execution" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--cddfc9a2-bc7d-496c-9a45-2d8a7c5931ef", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T23:05:59.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivilegeEscalation", "external_id": "AZTA400" } ], "name": "Privilege Escalation", "description": "The adversary is trying to escalate their privileges within Azure Resources or Azure Active Directory.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "privilege-escalation" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--f22aa093-be62-4f85-9400-51ebbacb0465", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T23:05:59.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence", "external_id": "AZTA500" } ], "name": "Persistence", "description": "The adversary is trying to persist in the Azure tenant or subscription. Persistence consists of techniques that adversaries use to modify existing resources, or modify and manipulate accounts in order to access Azure Active Directory.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "persistence" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--67fe57e8-d611-428d-809f-3bb6cc658b27", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T23:05:59.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/CredentialAccess", "external_id": "AZTA600" } ], "name": "Credential Access", "description": "The adversary is trying to steal account usernames, passwords, or access tokens. Credential access in Azure consists of stealing methods of authentication which includes passwords and tokens. Stealing these credentials can give adversaries a potential avenue of privilege escalation or persistence.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "credential-access" }, { "type": "x-mitre-tactic", "spec_version": "2.1", "id": "x-mitre-tactic--1186c3fa-50bd-4ecf-985f-e1d4ec838597", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2024-02-04T23:05:59.000Z", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/Impact", "external_id": "AZTA700" } ], "name": "Impact", "description": "The adversary is trying to either steal, manipulate, or delete data. Exfiltration in Azure consists of using techniques to lift resource data from specific resources. This can be done by generating SAS URIs for unauthenticated & persistent downloads, or can be done by directly exfiltrating the data from the resource itself. Deletion can occur through various means.", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_shortname": "impact" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b37be322-071d-4cf4-a3e4-58ccbbde0651", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Gather Application Information", "description": "An adversary may obtain information about an application within Azure Active Directory.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105", "external_id": "AZT105" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions" } ], "x_atrm_actions": [ "microsoft.directory/applications/*/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Get-AzADApplication`](https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azadapplication?view=azps-8.0.0)\n\n=== \"Azure CLI\"\t\n\t[`#!powershell az ad app show`](https://docs.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-show)\n\n=== \"Microsoft Graph REST API\"\t\n\t[`#!powershell GET https://graph.microsoft.com/v1.0/applications/{id}`](https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http)\n\n=== \"Azure Portal\"\n\t![Appdata](appdata.PNG)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may obtain information about an application within Azure Active Directory.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--245ab752-440d-4dea-bf7d-da2b74f973b9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "IP Discovery", "description": "It is possible to view the IP address on a resource by viewing the Virtual Network Interface", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102", "external_id": "AZT102" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses" } ], "x_atrm_actions": [ "Microsoft.Network/publicIPAddresses/read", "Microsoft.Compute/virtualMachines/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Get-AzPublicIpAddress`](https://docs.microsoft.com/en-us/powershell/module/az.network/get-azpublicipaddress?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!powershell az network public-ip show`](https://docs.microsoft.com/en-us/cli/azure/network/public-ip?view=azure-cli-latest#az-network-public-ip-show)\n\n=== \"Azure REST API\"\t\n\t[`#!powershell GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPAddresses/{publicIpAddressName}?api-version=2021-08-01`](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/public-ip-addresses/get)\n\n=== \"Azure Portal\"\n\t![IP](IP.png)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Network Interface", "Virtual Machine" ], "x_mitre_brief": "By viewing certain Azure resources, it is possible to view the private and public IP addresses assigned to a resource.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d4e07f5a-be7e-4679-9972-82c856ab962b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Public Accessible Resource", "description": "A resource within Azure is accessible from the public internet.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103", "external_id": "AZT103" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Network Interface", "Virtual Machine" ], "x_mitre_brief": "A resource within Azure is accessible from the public internet.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--4a80d9ca-2d8d-430d-bfc8-fe33d96b88db", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Gather User Information", "description": "An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user's roles and group memberships within AAD.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104", "external_id": "AZT104" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions" } ], "x_atrm_actions": [ "microsoft.directory/\\*/*/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\t\n\t[`#!powershell Get-AzADUser`](https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azaduser?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\t\n\t[`#!powershell az ad user show`](https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest#az-ad-user-show)\n\n=== \"Microsoft Graph REST API\"\t\n\t[`#!powershell GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}`](https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http)\n\n=== \"Azure Portal\"\n\t![Userinfo](userinfo.PNG)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may obtain information about a user within Azure Active Directory.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d008ea05-fa05-4ad0-8bf0-dc558aab5b61", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Gather Victim Data", "description": "An adversary may access a user's personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108", "external_id": "AZT108" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may access a user's personal data if their account is compromised", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--eb7e756f-48d6-4b4e-9690-2fcaf1832a61", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Port Mapping", "description": "It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface's assigned Network Security Group", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101", "external_id": "AZT101" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview" } ], "x_atrm_actions": [ "Microsoft.Network/networkSecurityGroups/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\t\n\t[`#!powershell Get-AzNetworkSecurityGroup`](https://docs.microsoft.com/en-us/powershell/module/az.network/get-aznetworksecuritygroup?view=azps-8.0.0)\n\n=== \"Azure CLI\"\t\n\t[`#!powershell az network nsg show`](https://docs.microsoft.com/en-us/cli/azure/network/nsg?view=azure-cli-latest#az-network-nsg-show)\n\t\n=== \"Azure REST API\"\t\n\t[`#!http GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}?api-version=2021-08-01`](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/network-security-groups/get#code-try-0)\n\n=== \"Azure Portal\"\n\t![NSG](NSG.PNG)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Network Security Group" ], "x_mitre_brief": "By viewing certain Azure resources, it is possible to view the open ports on a resource.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c30c8a90-4233-4b2e-8958-9babd82c5c44", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "Gather Role Information", "description": "An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106", "external_id": "AZT106" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adversary may obtain information about a role.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--68b8f6f6-de3d-45c5-a3e9-2b2d7582c56d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Gather AAD Role Information", "description": "An adversary may gather role assignments within Azure Active Directory.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1", "external_id": "AZT106.001" } ], "x_atrm_actions": [ "microsoft.directory/roleAssignments/standard/read", "microsoft.directory/directoryRoles/standard/read", "microsoft.directory/directoryRoles/eligibleMembers/read", "microsoft.directory/directoryRoles/members/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Microsoft Graph REST API\"\t\n\t* [`#!powershell GET https://graph.microsoft.com/v1.0/directoryRoles/{role ID}`](https://docs.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http)\n=== \"Azure Portal\"\n\t![Userroles](userroles.png)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may obtain information about a role within Azure Active Directory.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--17205c36-7049-4adb-95ef-b8fe975cc8a6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "List Transitive Role Assignments", "description": "An adversary may gather Transitive Role Assignments by specifiying a known principal id", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-4", "external_id": "AZT106.004" } ], "x_atrm_examples": [ "=== \"Microsoft Graph REST API\"\t\n\t* [`#!powershell GET https://graph.microsoft.com/v1.0/directoryRoles/{role ID}`](https://docs.microsoft.com/en-us/graph/api/directoryrole-list-members?view=graph-rest-1.0&tabs=http)" ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may gather Transitive Role Assignments by specifiying a known principal id", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3f9cb872-3eda-438e-a00f-8c51810c8c09", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Gather Azure Resources Role Assignments", "description": "An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3", "external_id": "AZT106.003" } ], "x_atrm_actions": [ "{resource}/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Get-AzRoleAssignment`](https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroleassignment?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\t\t\n\t[`#!powershell az role assignment`](https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest)\n\n=== \"Azure REST API\"\t\n\t* [`#!powershell GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01`](https://docs.microsoft.com/en-us/rest/api/authorization/role-assignments/list-for-scope)\n=== \"Azure Portal\"\n\t![UserRMroles](userRMroles.png)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Resources" ], "x_mitre_brief": "An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5b12e0bb-8afb-41ae-905e-4672d5c843d3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Gather Application Role Information", "description": "An adversary may gather information about an application role & it's member assignments within Azure Active Directory.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2", "external_id": "AZT106.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles" } ], "x_atrm_actions": [ "microsoft.directory/roleAssignments/standard/read", "microsoft.directory/directoryRoles/standard/read", "microsoft.directory/directoryRoles/eligibleMembers/read", "microsoft.directory/directoryRoles/members/read", "microsoft.directory/users/appRoleAssignments/read", "microsoft.directory/servicePrincipals/appRoleAssignments/read", "microsoft.directory/servicePrincipals/appRoleAssignedTo/read", "microsoft.directory/applications/owners/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Get-AzADAppPermission`](https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azadapppermission?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\t\t\n\t[`#!powershell az ad app permission list`](https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-list)\n\n=== \"Microsoft Graph REST API\"\t\n\t* [`#!powershell GET https://graph.microsoft.com/v1.0/users/{id}/appRoleAssignments`](https://docs.microsoft.com/en-us/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http)\n\t* [`#!powershell GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments`](https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-1.0&tabs=http)\t\t\n\t* [`#!powershell GET https://graph.microsoft.com/v1.0/groups/{id}/appRoleAssignments`](https://docs.microsoft.com/en-us/graph/api/group-list-approleassignments?view=graph-rest-1.0&tabs=http)\n\n=== \"Azure Portal\"\n\t![Approle](Approle.PNG)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may obtain information about an application role within Azure Active Directory.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--28e4d596-ec98-4388-a84c-7e96c8e20971", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Gather Resource Data", "description": "An adversary may obtain information and data within a resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107", "external_id": "AZT107" } ], "x_atrm_actions": [ "Azure Resources" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Get-AzResource`](https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azresource?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\t\t\n\t[`#!powershell az resource show`](https://docs.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest#az-resource-show)\n\n=== \"Azure REST API\"\t\n\t[`#!powershell GET https://management.azure.com/{resourceId}?api-version=2021-04-01`](https://docs.microsoft.com/en-us/rest/api/resources/resources/get-by-id)\n\n=== \"Azure Portal\"\n\t![example](example.png)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "\\{resource}/*/read" ], "x_mitre_brief": "An adversary may obtain information and data within a resource.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2a44f2b6-6a81-433c-949b-cb0b31498597", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Password Spraying", "description": "An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202", "external_id": "AZT202" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0" } ], "x_atrm_detections": [ "## **Logs**\n\n| Data Source | Application | Resource | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Azure Portal\t | Windows Azure Service Management API\t| SignInLogs |\n| Azure Active Directory | Microsoft Azure PowerShell\t | Windows Azure Service Management API\t| SignInLogs |\n\n## **Detection Screenshots**\n\n![](failedsignin.png)\n\n## **Detection Notes**\n\nThe main difference between a successful and unsuccessful login is the 'Status' field, which will designate a \"Success\" or \"Failure\". \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql SignInLogs | where UserId == 'IDGOESHERE'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FInitialAccess%2FAZT202%2FAZT202.json)" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell (Secret)\"\n\t[`#!powershell Connect-AzAccount`](https://docs.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!powershell az login -u -p `](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5caa2813-1c7c-4369-bc0e-822ea3b1efe8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-08-18T19:04:59.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Malicious Application Consent", "description": "An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203", "external_id": "AZT203" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-compromised-malicious-app" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-app-consent" } ], "x_atrm_actions": [ "Any user can consent to an application which will impersonate that user's privileges." ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs**\n\n| Data Source | Application | Resource | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory |N/A | AAD | AuditLogs\n\n## **Detection Details**\n\nPlease review the incident response playbooks in the 'Additional Resources' section below.\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where ActivityDisplayName == \"Consent to application\"` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FInitialAccess%2FAZT203%2FAZT203.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--39df1e22-763b-4eec-8b05-dcc8b063b9a0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Valid Credentials", "description": "Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201", "external_id": "AZT201" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may login to AzureAD using valid credentials.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3b276a89-8c5e-41a0-ad12-e1267cb80905", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Service Principal", "description": "By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2", "external_id": "AZT201.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-8.0.0" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal" } ], "x_atrm_detections": [ "## **Logs**\n\n| Data Source | Application | Resource | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | {Service Principal's Application ID}\t | Windows Azure Service Management API\t| AADServicePrincipalSignInLogs |\n\n## **Detection Screenshots**\n\n![spclilogin](spclilogin.png)\n\n## **Queries**\t\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AADServicePrincipalSignInLogs | where ServicePrincipalId == 'IDGOESHERE'` |\n\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FInitialAccess%2FAZT201%2FAZT201-2.json)" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell (Secret)\"\n\t``` powershell\n\t$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword\n\tConnect-AzAccount -Credential $Credential -Tenant '$Context.Tenant.Id' -ServicePrincipal\n\t```\n=== \"Az PowerShell (Certificate)\"\n\t``` powershell\n\t$import = Import-PfxCertificate -FilePath $CertPath -CertStoreLocation Cert:\\LocalMachine\\My -Password $SecurePassword -Exportable\n\tConnect-AzAccount -CertificateThumbprint \"$thumbprint\" -ApplicationId \"$appID\" -Tenant \"$tenant\"\n\t```\t\t\n=== \"Azure CLI\"\n\t``` powershell\n\taz login --service-principal -u -p --tenant \n\t```" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2b01e017-6833-45b4-9e8e-20d1c9d057e9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "User Account", "description": "By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1", "external_id": "AZT201.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins" } ], "x_atrm_detections": [ "## **Logs**\n\n| Data Source | Application | Resource | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Azure Portal\t | Windows Azure Service Management API\t| SignInLogs |\n| Azure Active Directory | Microsoft Azure PowerShell\t | Windows Azure Service Management API\t| SignInLogs |\n\n## **Detection Screenshots**\n\n=== \"Portal Sign-in\"\n\t![](portalsignin.png)\n\t\t\n=== \"PowerShell Sign-in\"\n\t![](userclilogin.png)\n\t\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql SignInLogs | where UserId == 'IDGOESHERE'` |\n\t\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FInitialAccess%2FAZT201%2FAZT201-1.json)" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Az PowerShell (Secret)\"\n\t[`#!powershell Connect-AzAccount`](https://docs.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!powershell az login -u -p `](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--1185f52e-b6e8-4d28-a0bc-b537d444cb02", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "AKS Command Invoke", "description": "By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5", "external_id": "AZT301.005" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/aks/command-invoke" } ], "x_atrm_actions": [ "Microsoft.ContainerService/managedClusters/runcommand/action", "Microsoft.ContainerService/managedclusters/commandResults/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nLogs are only generated when running a command through az cli or Az PowerShell. Using `kubectl` will not generate logs.\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | RunCommand\t | Microsoft.ContainerService/managedClusters/runCommand/action\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/RUNCOMMAND/ACTION'`|\n\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-5.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Invoke-AzAksRunCommand`](https://docs.microsoft.com/en-us/powershell/module/az.aks/invoke-azaksruncommand?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n [`#!powershell az aks command invoke`](https://docs.microsoft.com/en-us/cli/azure/aks/command?view=azure-cli-latest)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}/runCommand?api-version=2022-04-01`](https://docs.microsoft.com/en-us/rest/api/aks/managed-clusters/run-command)\n\n=== \"Azure Portal\"\n\t![aks](aks.PNG)" ], "x_atrm_resources": [ "Azure Kubernetes Service" ], "x_mitre_brief": "By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--22de8bda-0779-43ea-aa80-b13c350b10d4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-20T15:00:42.000Z", "name": "RunCommand", "description": "By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:\n- Windows: PowerShell commands to the VM as SYSTEM.\n- Linux: Shell commands to the VM as root.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1", "external_id": "AZT301.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-command" } ], "x_atrm_actions": [ "Microsoft.Compute/virtualMachines/runCommand/action", "Microsoft.Compute/locations/runCommands/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\n* **Windows**: The commands are stored as .PS1 files.\n* **Linux**: The commands are stored as script.sh files. \n\n## **Logs** \n\n| Data Source | Operation Name | Action/On-Disk Location | Log Provider | \n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Run Command on Virtual Machine\t | Microsoft.Compute/virtualMachines/runCommand/action\t| AzureActivity |\n| On-Resource File (Windows) | File Creation | C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.11\\Downloads | Event |\n| On-Resource File (Windows) | File Creation | C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.11\\Status | Event |\n| On-Resource File (Linux) | File Creation | /var/lib/waagent/run-command/download/ | syslog |\n| On-Resource File (Linux) | File Creation | /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/ | syslog |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql let timeframe = toscalar(AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION' and ActivityStatusValue == 'Success' | distinct TimeGenerated); Event | where EventID == '4104' and RenderedDescription has 'RunCommandWindows' | where (timeframe - TimeGenerated) <= 1m` |\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue has 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION' and ActivityStatusValue == 'Success' or OperationNameValue has 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE' and ActivityStatusValue == 'Success'`\n\n## **Azure Monitor Alert**\n\nFor resources *with* Azure Monitor Agent installed\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-1-AMA.json)\n\nFor resources *without* Azure Monitor Agent installed\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n [`#!powershell Invoke-AzVMRunCommand`](https://docs.microsoft.com/en-us/powershell/module/az.compute/invoke-azvmruncommand?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n [`#!powershell az vm run-command`](https://docs.microsoft.com/en-us/cli/azure/vm/run-command?view=azure-cli-latest)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell POST https://management.azure.com/subscriptions/{sub id}/resourceGroups/{rg name}/providers/Microsoft.Compute/virtualMachines/{vm name}/runCommand?api-version=2022-03-01`](https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/run-command)\n\n=== \"Azure Portal\"\n\n ![runcommand](runcommand.PNG)" ], "x_atrm_resources": [ "Virtual Machine" ], "x_mitre_brief": "By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Virtual Machine Scripting", "description": "Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301", "external_id": "AZT301" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2b66fdb9-8172-4170-9a9e-2f19a2e5e872", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "Compute Gallery Application", "description": "By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4", "external_id": "AZT301.004" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/vm-applications" } ], "x_atrm_actions": [ "Virtual Machine" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action/On-Disk Location | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Update Gallery Application Version\t | Microsoft.Compute/galleries/applications/versions/write\t| AzureActivity |\n| Resource | Create or Update Gallery Application\t | Microsoft.Compute/galleries/applications/write\t| AzureActivity |\n| Resource | Create or Update Gallery Application Version\t | Microsoft.Compute/galleries/applications/versions/write\t| AzureActivity |\n| Resource | Create or Update Gallery Application Version\t | Microsoft.Compute/galleries/applications/versions/write\t| AzureActivity |\n| On-Resource File | File Creation | C:\\Packages\\Plugins\\Microsoft.Powershell.DSC\\2.83.2.0\\Status | Event |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/GALLERIES/APPLICATIONS/VERSIONS/WRITE' and ActivityStatusValue == 'Created'`|\n\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-4.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t* [`#!powershell New-AzGalleryApplication`](https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azgalleryapplication?view=azps-8.0.0)\n\n\t* [`#!powershell New-AzGalleryApplicationVersion`](https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azgalleryapplicationversion?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n * [`#!powershell az sig gallery-application create`](https://docs.microsoft.com/en-us/cli/azure/sig/gallery-application?view=azure-cli-latest)\n\t* [`#!powershell az sig image-version create`](https://docs.microsoft.com/en-us/cli/azure/sig/image-version?view=azure-cli-latest#az-sig-image-version-create)\n\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/applications/{galleryApplicationName}?api-version=2021-10-01`](https://docs.microsoft.com/en-us/rest/api/compute/gallery-applications/create-or-update)\n\n=== \"Azure Portal\"\n\t![vmapp](vmapp.png)" ], "x_atrm_resources": [ "Microsoft.Compute/virtualMachines/write", "Microsoft.Compute/galleries/write", "Microsoft.Compute/galleries/applications/write", "Microsoft.Compute/galleries/applications/versions/write" ], "x_mitre_brief": "By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--023ef082-9c29-4f35-9272-afd9e8b4b5a7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "Desired State Configuration", "description": "By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3", "external_id": "AZT301.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview" } ], "x_atrm_actions": [ "Microsoft.Compute/virtualMachines/extensions/*", "Microsoft.Compute/virtualMachines/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action/On-Disk Location | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Update Virtual Machine Extension\t | Microsoft.Compute/virtualMachines/extensions/write\t| AzureActivity |\n| On-Resource File | File Creation | C:\\Packages\\Plugins\\Microsoft.Powershell.DSC\\2.83.2.0\\Status | Event |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql let timeframe = toscalar(AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties_d has 'Microsoft.Powershell.DSC' | distinct TimeGenerated); Event | where EventID == '4104' and ParameterXml has 'Microsoft.Powershell.DSC' and RenderedDescription has '.ps1' | where (TimeGenerated - timeframe) <= 1m` |\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties_d has 'Microsoft.Powershell.DSC'`\n\t\t\t\n## **Azure Monitor Alert**\n\nFor resources *with* Azure Monitor Agent installed\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-3-AMA.json)\n\nFor resources *without* Azure Monitor Agent installed\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Set-AzVMDscExtension`](https://docs.microsoft.com/en-us/powershell/module/az.compute/set-azvmdscextension?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n [`#!powershell az vm extension set`](https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az-vm-extension-set)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{rg name}/providers/Microsoft.Compute/virtualMachines/{vm name]/extensions/DSC?api-version=2022-03-01`](https://docs.microsoft.com/en-us/rest/api/compute/virtual-machine-extensions/create-or-update)\n\n=== \"Azure Portal\"\n\t![dsc](dsc.PNG)" ], "x_atrm_resources": [ "Virtual Machine", "Virtual Machine Scale Sets" ], "x_mitre_brief": "By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--1a0cb6f2-1b7b-486a-a1e0-f0d0ef9ded9f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Serial Console", "description": "By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7", "external_id": "AZT301.007" } ], "x_atrm_actions": [ "## **Detection Details**", "", "Commands are passed directly via COM1 port to the virtual machine. Logging requires [boot diagnostics to be enabled.](https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-windows#audit-logs)", "", "## **Logs**", "", "| Data Source | Operation Name | Action | Log Location |", "|--------------------|---------------------|-------------------------------------------------------------------|--------------|", "| Resource | N/A\t | N/A\t| Boot Diagnostics |" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "* [https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview](https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview)" ], "x_atrm_resources": [ "=== \"Azure Portal\"", "", "![SerialConsole](SerialConsole.png)" ], "x_mitre_brief": "By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3e326ae2-bfb0-4356-94e9-5a6e5f879499", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Vmss Run Command", "description": "By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:\n- Windows: PowerShell commands to the VM as SYSTEM.\n- Linux: Shell commands to the VM as root.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6", "external_id": "AZT301.006" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-command" } ], "x_atrm_actions": [ "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\n* **Windows**: The commands are stored as .PS1 files. \n* **Linux**: The commands are stored as script.sh files. \n\n## **Logs** \n\n| Data Source | Operation Name | Action/On-Disk Location | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Run Command on a Virtual Machine instance in a Virtual Machine Scale Set\t | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action\t| AzureActivity |\n| On-Resource File (Windows) | File Creation | C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.11\\Downloads | Event | \n| On-Resource File (Windows) | File Creation | C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.11\\Status | Event |\n| On-Resource File (Linux) | File Creation | /var/lib/waagent/run-command/download/ | syslog |\n| On-Resource File (Linux) | File Creation | /var/lib/waagent/Microsoft.CPlat.Core.RunCommandLinux-1.0.3/status/ | syslog |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue=='Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action'`|\n\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-6.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n [`#!powershell Invoke-AzVmssVMRunCommand`](https://docs.microsoft.com/en-us/powershell/module/az.compute/invoke-azvmssvmruncommand?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n [`#!powershell az vmss run-command`](https://docs.microsoft.com/en-us/cli/azure/vmss/run-command?view=azure-cli-latest)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}/virtualMachines/{instanceId}/runCommands/{runCommandName}?api-version=2022-03-01`](https://docs.microsoft.com/en-us/rest/api/compute/virtual-machine-scale-set-vm-run-commands/update)" ], "x_atrm_resources": [ "Virtual Machine Scale Sets" ], "x_mitre_brief": "By utilizing the 'RunCommand' feature on a virtual machine scale set (vmss), an attacker can execute a command on an instance of a VM as SYSTEM.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--1b97df8e-02d8-46d1-adf6-77f64da597aa", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "CustomScriptExtension", "description": "By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2", "external_id": "AZT301.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux" } ], "x_atrm_actions": [ "Microsoft.Compute/virtualMachines/extensions/*", "Microsoft.Compute/virtualMachines/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nThe commands are stored as .PS1 files and deleted after running.\n\n## **Logs** \n\n| Data Source | Operation Name | Action/On-Disk Location | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Update Virtual Machine Extension\t | Microsoft.Compute/virtualMachines/extensions/write | AzureActivity |\n| On-Resource File | File Creation | C:\\Packages\\Plugins\\Microsoft.Compute.CustomScriptExtension\\1.9.5\\Downloads | Event |\n| On-Resource File | File Creation | C:\\Packages\\Plugins\\Microsoft.Compute.CustomScriptExtension\\1.9.5\\Status | Event |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql let timeframe = toscalar(AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties has 'CustomScriptExtension' | distinct TimeGenerated); Event | where EventID == '4104' | where (timeframe - TimeGenerated) <= 1m` |\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE' and Properties has 'CustomScriptExtension'`\n\t\n## **Azure Monitor Alert**\n\nFor resources *with* Azure Monitor Agent installed\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-2-AMA.json)\n\nFor resources *without* Azure Monitor Agent installed\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT301-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Set-AzVMCustomScriptExtension`](https://docs.microsoft.com/en-us/powershell/module/az.compute/set-azvmcustomscriptextension?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n [`#!powershell az vm extension set`](https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az-vm-extension-set)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{rg name}/providers/Microsoft.Compute/virtualMachines/{vm name]/extensions/CustomScriptExtension?api-version=2022-03-01`](https://docs.microsoft.com/en-us/rest/api/compute/virtual-machine-extensions/create-or-update)\n\n=== \"Azure Portal\"\n\t![cse](CSE.PNG)" ], "x_atrm_resources": [ "Virtual Machine", "Virtual Machine Scale Sets", "Azure ARC" ], "x_mitre_brief": "By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a13033cd-44e7-458e-b224-2c2845989aa3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T22:12:32.000Z", "name": "Automation Account Runbook RunAs Account", "description": "By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2", "external_id": "AZT302.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nNote that the listed query requires Azure Diagnostics turned on for the resource.\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResultDescription has 'TenantId' and ResultDescription has 'SubscriptionName' and ResultDescription has 'Account' and ResourceType == 'AUTOMATIONACCOUNTS'`|\n\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT302-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationrunbook?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az automation runbook create`](https://docs.microsoft.com/en-us/cli/azure/automation/runbook?view=azure-cli-latest#az-automation-runbook-create)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/runbook/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![runbook](runbook.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f0b13df7-5413-407e-a4d5-da818e6076b8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Automation Account Runbook Managed Identity", "description": "By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3", "external_id": "AZT302.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nNote that the listed query requires Azure Diagnostics turned on for the resource.\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql \n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResultDescription has 'TenantId' and ResultDescription has 'SubscriptionName' and ResultDescription has 'Account' and ResourceType == 'AUTOMATIONACCOUNTS'`|\n`|\n\n## **Azure Monitor Alert**\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT302-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationrunbook?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az automation runbook create`](https://docs.microsoft.com/en-us/cli/azure/automation/runbook?view=azure-cli-latest#az-automation-runbook-create)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/runbook/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![runbook](runbook.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand if that service principal has the correct role and privileges.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c04cc82a-43f7-42af-8af9-ca68f98c41a6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Serverless Scripting", "description": "Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302", "external_id": "AZT302" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure Resource.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5516905e-6245-4fd9-a5e7-1895d08abeeb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Function Application", "description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4", "external_id": "AZT302.004" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-get-started?pivots=programming-language-powershell" } ], "x_atrm_actions": [ "Microsoft.Web/sites/hostruntime/vfs/run.csx/write", "Microsoft.Web/sites/functions/write", "Microsoft.Web/sites/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Write Run.csx\t | Microsoft.Web/sites/hostruntime/vfs/run.csx/write\t| AzureActivity |\n| Resource | Update Web Apps Functions\t | Microsoft.Web/sites/functions/write\t| AzureActivity |\n| Resource | Update website\t | Microsoft.Web/sites/write\t| AzureActivity |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Update-AzFunctionApp`](https://docs.microsoft.com/en-us/powershell/module/az.functions/update-azfunctionapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n [`#!powershell az functionapp update`](https://docs.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-update)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/functions?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/list-functions)\n\n=== \"Azure Portal\"\n\t![functionapp](functionapp.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--66df50e7-0cad-496d-8f41-ff3f8968b13d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "Automation Account Runbook Hybrid Worker Group", "description": "By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1", "external_id": "AZT302.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/draft/write", "Microsoft.Automation/automationAccounts/runbooks/write", "Microsoft.Automation/automationAccounts/runbooks/publish/action", "Microsoft.Automation/automationAccounts/jobs/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nIt is recommended to [turn on verbose logging](https://docs.microsoft.com/en-us/system-center/sma/overview-runbook-messages-output?view=sc-sma-2022) for Automation Accounts. Note that the listed query requires Azure Diagnostics turned on for the resource.\n\n## **Logs** \n\n| Data Source | Operation Name | Action/On-Disk Location | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n| On Target Resource File (Windows) | File Creation | C:\\Packages\\Plugins\\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows\\0.1.0.18\\Status | Event |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResourceType == 'AUTOMATIONACCOUNTS' and RunOn_s != ''`|\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExecution%2FAZT301%2FAZT302-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationrunbook?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n [`#!powershell az automation runbook create`](https://docs.microsoft.com/en-us/cli/azure/automation/runbook?view=azure-cli-latest#az-automation-runbook-create)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/runbook/create-or-update)\n\n=== \"Azure Portal\"\n\t![runbook](runbook.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7ac3a13d-9942-4024-9059-c01159ebbcf2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Managed Device Scripting", "description": "Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303", "external_id": "AZT303" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/graph/api/resources/intune-graph-overview?view=graph-rest-beta" } ], "x_atrm_actions": [ "microsoft.directory/devices/basic/update" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Intune | | \t| IntuneAuditLogs |\n| Intune | \t | \t| IntuneAuditLogs |\n| Intune | | \t| IntuneAuditLogs |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Microsoft Azure Graph API\"\t\n\t[`#!powershell POST https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts`](https://docs.microsoft.com/en-us/graph/api/intune-shared-devicemanagementscript-create?view=graph-rest-beta)\n\n=== \"Azure Portal\"\n\t![intune](intune.PNG)" ], "x_atrm_resources": [ "Azure Active Directory Intune" ], "x_mitre_brief": "Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7e0ed059-1a34-4b94-85c1-63ad500c7540", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Privileged Identity Management Role", "description": "An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401", "external_id": "AZT401" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-apis" } ], "x_atrm_actions": [ "RoleManagement.ReadWrite.Directory", "RoleManagement.Read.Directory" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs**\n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Add member to role requested (PIM activation)\t | RoleManagement.ReadWrite.Directory\t| PIM Audit Logs |\n| Azure Active Directory | Add member to role completed (PIM activation)\t | RoleManagement.ReadWrite.Directory\t| PIM Audit Logs |\n| Azure Active Directory | Add eligible member to role in PIM completed (permanent)\t| RoleManagement.ReadWrite.Directory| PIM Audit Logs |\n| Azure Active Directory | Add eligible member to role in PIM requested (permanent)\t| RoleManagement.ReadWrite.Directory\t| PIM Audit Logs |\n\n## **Detection Screenshots**\n\n![directorylogs](directorylogs.PNG)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"AzureAD PowerShell\"\n\t[`#!powershell Open-AzureADMSPrivilegedRoleAssignmentRequest`](https://docs.microsoft.com/en-us/powershell/module/azuread/open-azureadmsprivilegedroleassignmentrequest?view=azureadps-2.0-preview)\n\n=== \"Microsoft Azure Graph API\"\t\n\t[`#!powershell GET https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilitySchedules/313af44a-07c9-43a7-9970-5072a6b5591f`](https://docs.microsoft.com/en-us/graph/api/unifiedroleeligibilityschedule-get?view=graph-rest-beta&tabs=http)\n\n=== \"Azure REST API\"\t\n\t[`#!powershell GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{roleEligibilityScheduleRequestName}?api-version=2020-10-01`](https://docs.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-requests/get)\n\n=== \"Azure Portal\"\n\t![pimactivate](pimactivate.PNG)" ], "x_atrm_resources": [ "Azure Active Directory", "Azure Resources" ], "x_mitre_brief": "An adversary may escalate their privileges if their current account has access to Privileged Identity Management (PIM)", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f54ef0fa-5aeb-4e79-8feb-be322dd70276", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "App Service", "description": "By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4", "external_id": "AZT404.004" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp" } ], "x_atrm_actions": [ "Microsoft.Web/sites/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Update website\t | Microsoft.Web/sites/write\t| AzureActivity |\n| Resource | Start Web App | Microsoft.Web/sites/start/action\t| AzureActivity |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Update-AzStaticWebApp`](https://docs.microsoft.com/en-us/powershell/module/az.websites/update-azstaticwebapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az staticwebapp update`](https://docs.microsoft.com/en-us/cli/azure/staticwebapp?view=azure-cli-latest#az-staticwebapp-update)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![appservice](appservice.PNG)" ], "x_atrm_resources": [ "App Service" ], "x_mitre_brief": "By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a35935c7-b634-4850-8d06-975abd071bc9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Principal Impersonation", "description": "Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404", "external_id": "AZT404" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d769bc8e-7435-4eb4-84c6-28b8ee04d992", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Function Application", "description": "By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1", "external_id": "AZT404.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=ps%2Cdotnet" } ], "x_atrm_actions": [ "Microsoft.Web/sites/hostruntime/vfs/run.csx/write", "Microsoft.Web/sites/functions/write", "Microsoft.Web/sites/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Write Run.csx\t | Microsoft.Web/sites/hostruntime/vfs/run.csx/write\t| AzureActivity |\n| Resource | Update Web Apps Functions\t | Microsoft.Web/sites/functions/write\t| AzureActivity |\n| Resource | Update website\t | Microsoft.Web/sites/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql let appname = toscalar(FunctionAppLogs | where Type == 'FunctionAppLogs' and Message has 'Executed' | project split(_ResourceId, '/')[-1]); AADManagedIdentitySignInLogs | where ServicePrincipalName contains appname` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPrivilegeEscalation%2FAZT404%2FAZT404-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Update-AzFunctionApp`](https://docs.microsoft.com/en-us/powershell/module/az.functions/update-azfunctionapp?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n\t[`#!python az functionapp update`](https://docs.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-update)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![functionapp](functionappmi.png)" ], "x_atrm_resources": [ "Function Application" ], "x_mitre_brief": "By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8fc6ab58-2df3-416b-80a1-0981de6193d3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Logic Application", "description": "By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2", "external_id": "AZT404.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview" } ], "x_atrm_actions": [ "Microsoft.Logic/workflows/write", "Microsoft.Logic/workflows/run/action", "Microsoft.Logic/operations/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Gets workflow recommend operation groups\t | Microsoft.Logic/locations/workflows/recommendOperationGroups/action\t| AzureActivity |\n| Resource | List Trigger Callback URL | Microsoft.Logic/workflows/triggers/listCallbackUrl/action\t| AzureActivity |\n| Resource | Add or Update Connection\t| Microsoft.Web/connections/write\t| AzureActivity |\n| Azure Active Directory | Update website\t | Microsoft.Web/sites/write\t| AuditLogs |\n| Azure Active Directory | Start Web App | Microsoft.Web/sites/start/action\t| AuditLogs |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Set-AzLogicApp`](https://docs.microsoft.com/en-us/powershell/module/az.logicapp/set-azlogicapp?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n\t[`#!python az logicapp start`](https://docs.microsoft.com/en-us/cli/azure/logicapp?view=azure-cli-latest#az-logicapp-start)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-06-01`](https://docs.microsoft.com/en-us/rest/api/logic/workflows/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![logicapp](logciappimds.PNG)" ], "x_atrm_resources": [ "Logic Application" ], "x_mitre_brief": "By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--57bc72ed-f2c3-4cb3-8e65-32b48c4aee4e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Automation Account", "description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3", "external_id": "AZT404.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-get-started?pivots=programming-language-powershell" } ], "x_atrm_actions": [ "Microsoft.Web/sites/hostruntime/vfs/run.csx/write", "Microsoft.Web/sites/functions/write", "Microsoft.Web/sites/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Write Run.csx\t | Microsoft.Web/sites/hostruntime/vfs/run.csx/write\t| AzureActivity |\n| Resource | Update Web Apps Functions\t | Microsoft.Web/sites/functions/write\t| AzureActivity |\n| Resource | Update website\t | Microsoft.Web/sites/write\t| AzureActivity |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Update-AzFunctionApp`](https://docs.microsoft.com/en-us/powershell/module/az.functions/update-azfunctionapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n [`#!powershell az functionapp update`](https://docs.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-update)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/functions?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/list-functions)\n\n=== \"Azure Portal\"\n\t![functionapp](functionapp.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d1eab55d-abe6-4c51-8f40-c1e33d7073ab", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Cloud Shell .IMG", "description": "By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1", "external_id": "AZT403.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/cloud-shell/overview" }, { "source_name": "microsoft", "url": "https://www.netspi.com/blog/technical/cloud-penetration-testing/attacking-azure-cloud-shell/" } ], "x_atrm_detections": [ "## **Detection Details**\n\nA storage account is created in order to store the profile .IMG file when using CloudShell. These storage accounts always start with `cs` followed by a string of numbers + letters. E.g.: `cs120000000ff`\nLogs from the storage account require them to be configured with diagnostic settings being sent to a log aggregator. \n\nAdditionally, `~/.config/PowerShell/Microsoft.PowerShell_profile.ps1` is where the PowerShell startup script is stored, which also may be a target for backdooring. \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql ` |\t\n\t\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPrivilegeEscalation%2FAZT403%2FAZT403-1.json)" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "=== \"Azure Portal\"\n\t![cloudshell](cloudshell.PNG)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "Azure CloudShell" ], "x_mitre_brief": "By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--df563b0f-982f-484b-9815-f6dc5f576c54", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "Local Resource Hijack", "description": "An adversary may escalate their privileges by tampering with a local file generated by a resource.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403", "external_id": "AZT403" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adversary may escalate their privileges by tampering with a local file generated by a resource", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2c934711-c17e-4656-a2a6-9b234b4b3da2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "Elevated Access Toggle", "description": "An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402", "external_id": "AZT402" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin" } ], "x_atrm_actions": [ "Microsoft.Authorization/elevateAccess/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Assigns the caller to User Access Administrator role\t | Microsoft.Authorization/elevateAccess/action | AuditLogs |\n\n## **Detection Screenshots**\n\n![monitorlogs](monitor-directory-activity.png)\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPrivilegeEscalation%2FAZT402%2FAZT402.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure CLI\"\n\t[`#!python az rest --method post --url \"/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01\"`](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-cli)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell POST https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01`](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#rest-api)\t\t\n\n=== \"Azure Portal\"\n\t![toggle](toggle.png)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f0084736-a06d-4abc-9a7d-c4b7ce4deb6b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Application API Permissions", "description": "By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1", "external_id": "AZT405.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions" } ], "x_atrm_actions": [ "Since the attacker controls the application, no actions are needed." ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | N/A\t | N/A\t| AADServicePrincipalSignInLogs|\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AADServicePrincipalSignInLogs | where ServicePrincipalId == 'IDGOESHERE'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPrivilegeEscalation%2FAZT405%2FAZT405-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure REST API\"\t\n\t[`#!powershell GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000002-0000-0000-c000-000000000000'`](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions)\t\t\n\n=== \"Azure Portal\"\n\t![approle](approle.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--49fef13f-f32b-4921-8954-ea2583d2d1c0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Azure AD Application", "description": "Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405", "external_id": "AZT405" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--15985050-354f-4451-a37f-c65702519236", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:25:08.000Z", "name": "Application Registration Owner", "description": "By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3", "external_id": "AZT405.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.0.0#reset-credentials" } ], "x_atrm_actions": [ "microsoft.directory/servicePrincipals/credentials/update" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Category | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure AD | Update application \u2013 Certificates and secrets management \t | ApplicationManagement\t| AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where OperationName == 'Update application \u2013 Certificates and secrets management' and Category== 'ApplicationManagement'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPrivilegeEscalation%2FAZT405%2FAZT405-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure PowerShell\"\n\t[`#!powershell New-AzADSpCredential -ServicePrincipalName ServicePrincipalName`](https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadspcredential?view=azps-8.0.0)\n\n=== \"az cli\"\n\t[`#!powershell az ad sp credential reset`](https://docs.microsoft.com/en-us/cli/azure/ad/sp/credential?view=azure-cli-latest#az-ad-sp-credential-reset)\n\n=== \"Azure REST API\"\t\n\t[`#!powershell POST /servicePrincipals/{id}/addKey`](https://docs.microsoft.com/en-us/graph/api/serviceprincipal-addkey?view=graph-rest-1.0&tabs=http)\t\t\n\n=== \"Azure Portal\"\n\t![AppOwner](appowner.png)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a6b33d81-9171-40e4-b69b-520f9bf2d3f0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Application Role", "description": "By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2", "external_id": "AZT405.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp" } ], "x_atrm_actions": [ "Since the attacker controls the application, no actions are needed." ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | N/A\t | N/A\t| AADServicePrincipalSignInLogs|\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AADServicePrincipalSignInLogs | where ServicePrincipalId == 'IDGOESHERE'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPrivilegeEscalation%2FAZT405%2FAZT405-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![APIPerm](APIPerm.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c385f414-7beb-4afd-a98b-6cf06be57952", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Runbook Webhook", "description": "Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3", "external_id": "AZT503.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal" }, { "source_name": "microsoft", "url": "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/*", "Microsoft.Automation/automationAccounts/webhooks/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Update an Azure Automation webhook | Microsoft.Automation/automationAccounts/webhooks/write| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT503%2FAZT503-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationWebhook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationwebhook?view=azps-8.0.0)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/webhooks/{webhookName}?api-version=2015-10-31`](https://docs.microsoft.com/en-us/rest/api/automation/webhook/create-or-update)\t\n\n=== \"Azure Portal\"\n\t![webhook](webhook.PNG)" ], "x_atrm_resources": [ "Automation Accounts" ], "x_mitre_brief": "Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b252a6b8-98b2-4661-86bd-d0195dca0d06", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Function App HTTP Trigger", "description": "Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2", "external_id": "AZT503.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview" } ], "x_atrm_actions": [ "Microsoft.Web/sites/Write", "Microsoft.web/sites/functions/action", "Microsoft.web/sites/functions/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Update website\t | Microsoft.Web/sites/write\t| AuditLogs |\n| Azure Active Directory | Start Web App | Microsoft.Web/sites/start/action\t| AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs| where ActivityDisplayName == 'Update website' or ActivityDisplayName == 'Start Web App'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT503%2FAZT503-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Update-AzFunctionApp`](https://docs.microsoft.com/en-us/powershell/module/az.functions/update-azfunctionapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az functionapp update`](https://docs.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-update)" ], "x_atrm_resources": [ "Function App" ], "x_mitre_brief": "Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7e5a1d29-de9c-4815-a7c6-1dcd85426063", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Logic Application HTTP Trigger", "description": "Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1", "external_id": "AZT503.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview" } ], "x_atrm_actions": [ "Microsoft.Logic/workflows/write", "Microsoft.Logic/workflows/run/action", "Microsoft.Logic/operations/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Gets workflow recommend operation groups\t | Microsoft.Logic/locations/workflows/recommendOperationGroups/action\t| AzureActivity |\n| Resource | List Trigger Callback URL | Microsoft.Logic/workflows/triggers/listCallbackUrl/action\t| AzureActivity |\n| Resource | Add or Update Connection\t| Microsoft.Web/connections/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue=='Microsoft.Logic/locations/workflows/recommendOperationGroups/action' or OperationNameValue=='Microsoft.Logic/workflows/triggers/listCallbackUrl/action' or OperationNameValue=='Microsoft.Web/connections/write'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT503%2FAZT503-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Set-AzLogicApp`](https://docs.microsoft.com/en-us/powershell/module/az.logicapp/set-azlogicapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az logicapp start`](https://docs.microsoft.com/en-us/cli/azure/logicapp?view=azure-cli-latest#az-logicapp-start)\t\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-06-01`](https://docs.microsoft.com/en-us/rest/api/logic/workflows/create-or-update)\t\n\n=== \"Azure Portal\"\n\t![logicapp1](logicapp1.png)\n\t![logicapp2](logicapp2.png)" ], "x_atrm_resources": [ "Logic Application" ], "x_mitre_brief": "Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--1a8a7025-e0e0-40e7-bffa-8a43800a8c2d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "HTTP Trigger", "description": "Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503", "external_id": "AZT503" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b64f3fef-9e49-4ae9-9491-86969c146584", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "WebJob", "description": "Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4", "external_id": "AZT503.004" }, { "source_name": "microsoft", "url": "https://github.com/Azure/azure-webjobs-sdk/wiki#documentation" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/app-service/webjobs-create" } ], "x_atrm_actions": [ "Microsoft.Web/sites/Write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nTo enable logging on AppServices, a Diagnostic setting must be enabled to send logs to an aggregator. In addition, App Service Logs should be enabled.\n\nWebJob output logs can be viewed on the web application in the format: https://{WEBAPPNAME}.scm.azurewebsites.net/azurejobs/#/jobs/\n\n## **Detection Screenshot**\n\n=== \"Web Job Logs\"\n\t![webjoblog](webjoblog.PNG)\n\n=== \"Application Logs\"\n\t![applogs](applogs.PNG)\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql ` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT503%2FAZT503-4.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Start-AzWebAppTriggeredWebJob`](https://docs.microsoft.com/ru-ru/powershell/module/az.websites/start-azwebapptriggeredwebjob?view=azps-8.0.0&viewFallbackFrom=azps-7.4.0)\n\n=== \"Azure CLI\"\n\n\t[`#!python az webapp webjob triggered`](https://docs.microsoft.com/en-us/cli/azure/webapp/webjob/triggered?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/triggeredwebjobs/{webJobName}/run?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/run-triggered-web-job)\t\n\n=== \"Azure Portal\"\n\t![webjob](webjob.PNG)" ], "x_atrm_resources": [ "App Service" ], "x_mitre_brief": "Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8086013b-43e7-4c10-9b7b-f1e37e218285", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Watcher Tasks", "description": "By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504", "external_id": "AZT504" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-scenario-using-watcher-task" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nNo logs are generated when a watcher task is created.\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WATCHERS/WATCHERACTIONS/WRITE'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT504%2FAZT504.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationWebhook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationwebhook?view=azps-8.0.0)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/webhooks/{webhookName}?api-version=2015-10-31`](https://docs.microsoft.com/en-us/rest/api/automation/webhook/create-or-update)\t\n\n=== \"Azure Portal\"\n\t![watcher](watcher.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b2973dea-b075-4ba8-9d5a-00bc59f74854", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "Scheduled Jobs", "description": "By configurating an Azure resource that supports scheduled execution, an adversary can execute an operation at a defined interval.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505", "external_id": "AZT505" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "By configurating an Azure resource that supports scheduled execution, an adversary can execute an operation at a defined interval.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3fa17565-09b3-4e6f-a26e-991585a4ffa4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Scheduled Jobs", "description": "Adversaries may create a schedule for a Runbook to run at a defined interval.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1", "external_id": "AZT505.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/shared-resources/schedules" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/Schedules/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Update an Azure Automation schedule asset\t | Microsoft.Automation/automationAccounts/Schedules/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WATCHERS/WATCHERACTIONS/WRITE'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT505%2FAZT505.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationSchedule`](https://docs.microsoft.com/en-us/powershell/module/Az.Automation/New-AzAutomationSchedule?view=azps-8.0.0)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/jobSchedules/{jobScheduleId}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/job-schedule)\t\n\n=== \"Azure Portal\"\n\t![runbookschedule](runbookschedule.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "Adversaries may create a schedule for a Runbook to run at a defined interval.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c7beca4f-74b7-48d0-b2a0-f723e0f984ed", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Service Principal Creation", "description": "An adversary may create an application & service principal in Azure Active Directory", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2", "external_id": "AZT502.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" } ], "x_atrm_actions": [ "microsoft.directory/servicePrincipals/create", "microsoft.directory/applications/create" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Add service principal\t | microsoft.directory/servicePrincipals/create\t| AuditLogs |\n| Azure Active Directory | Add application | microsoft.directory/applications/create\t| AuditLogs |\n| Azure Active Directory | Add owner to application | microsoft.directory/servicePrincipals/owners/update\t| AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where OperationName == 'Add service principal'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT502%2FAZT502-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell New-AzADServicePrincipal`](https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadserviceprincipal?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n\n\t[`#!python az ad sp create`](https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create)\n\n=== \"Microsoft Graph API\"\n\n\t[`#!python POST https://graph.microsoft.com/v1.0/servicePrincipals`](https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http)\t\n\n=== \"Azure Portal\"\n\n\t![newsp](newsp.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may create an application & service principal in Azure Active Directory", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e1af424a-0030-46c5-b276-4ce3febb67fc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Guest Account Creation", "description": "An adversary may create a guest account in Azure Active Directory", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3", "external_id": "AZT502.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal" } ], "x_atrm_actions": [ "microsoft.directory/users/create", "microsoft.directory/users/inviteGuest" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Invited Users | microsoft.directory/users/inviteGuest | AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where ActivityDisplayName == 'Invited Users'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT502%2FAZT502-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure Portal\"\n\n\t![newuser](https://docs.microsoft.com/en-us/azure/active-directory/external-identities/media/quickstart-add-users-portal/new-guest-user.png)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may create a guest account in Azure Active Directory", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2e583c50-a05f-4ebf-8d30-b62441eeadb2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Account Creation", "description": "An adversary may create an account in Azure Active Directory.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502", "external_id": "AZT502" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adversary may create an account in Azure Active Directory.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--29fb344c-bfdf-4f2b-bafb-b094622d5195", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "User Account Creation", "description": "An adversary may create an application & service principal in Azure Active Directory", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1", "external_id": "AZT502.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal" } ], "x_atrm_actions": [ "microsoft.directory/users/create" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Add user | microsoft.directory/users/create | AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where OperationName == 'Add user'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT502%2FAZT502-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzADUser`](https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azaduser?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n\n\t[`#!python az ad user create`](https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest#az-ad-user-create)\n\n=== \"Microsoft Graph API\"\n\n\t[`#!python POST https://graph.microsoft.com/v1.0/users`](https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http)\t\n\n=== \"Azure Portal\"\n\n\t![newuser](newuser.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adversary may create an application & service principal in Azure Active Directory", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e730f8d7-9188-4641-9036-40060610dae9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-11-28T17:45:43.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Azure Bastion", "description": "Azure Bastion can be abused to allow persistent network access to a virtual machine over public internet.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT509/AZT509", "external_id": "AZT509" } ], "x_atrm_actions": [ "Microsoft.Network/bastionHosts/write", "", "Microsoft.Network/bastionHosts/createShareableLinks/action", "", "Microsoft.Network/bastionHosts/getShareableLinks/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "[https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html](https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Get Bastion Shareable Link\t | Microsoft.Network/bastionHosts/GetShareableLinks/action\t| AzureActivity | \n| Resource | N/A\t | Microsoft.Network/bastionHosts/write\t| AzureActivity | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue =~ \"MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION\" or OperationNameValue =~ \"MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION` |" ], "x_atrm_resources": [ "Azure Bastion" ], "x_mitre_brief": "Azure Bastion can be abused to allow persistent network access to a virtual machine over public internet.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--fea6dbf6-00da-4251-985c-3cb72df04ac4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Azure Lighthouse", "description": "Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1", "external_id": "AZT507.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer" } ], "x_atrm_actions": [ "Microsoft.ManagedServices/registrationAssignments/Write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\n* The Az PowerShell cmdlets `Get-AzManagedServicesDefinition` and `Get-AzManagedServicesAssignment`, or az cli cmdlets `az managedservices definition list` and `az managedservices assignment list` can be used to list the onboarded customers to the tenant." ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell New-AzSubscriptionDeployment`](https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-8.1.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az deployment sub create`](https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest)\t\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01`](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/security-rules)\t\n\n=== \"Azure Portal\"\n\t![portal](https://docs.microsoft.com/en-us/azure/lighthouse/media/add-offer-via-template.png)" ], "x_atrm_resources": [ "AzureAD" ], "x_mitre_brief": "Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c093de82-06d4-4c44-adfa-41bd6d17890f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-08-18T19:04:59.000Z", "modified": "2024-02-04T22:12:32.000Z", "name": "Domain Trust Modification", "description": "An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4", "external_id": "AZT507.004" } ], "x_atrm_detections": [ "* [https://o365blog.com/post/aadbackdoor/](https://o365blog.com/post/aadbackdoor/)\n\n* [https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors](https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors)\n\n* [https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/ADFSDomainTrustMods%5BNobelium%5D.yaml](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/ADFSDomainTrustMods%5BNobelium%5D.yaml)" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "## **Detection Details**\n\nMonitor the 'Pass-through Authentication' page in the Azure portal. Azure AD Connect > Pass-through Authentication" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "AzureAD" ], "x_mitre_brief": "An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--79c9715a-99c2-4498-a9e4-d91fbe9c1db9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-08-18T19:04:59.000Z", "name": "External Entity Access", "description": "Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507", "external_id": "AZT507" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--accdf079-d8e0-4cd2-b30d-4b2423bcbbf2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-08-18T19:04:59.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Subscription Hijack", "description": "An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3", "external_id": "AZT507.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription" }, { "source_name": "microsoft", "url": "https://derkvanderwoude.medium.com/azure-subscription-hijacking-and-cryptomining-86c2ac018983" } ], "x_atrm_actions": [ "The \"Owner\" role is needed to complete the transfer." ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\n* A policy can be placed on the subscription to prevent transfers. [https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy)\n\n* The logs for the subscription are transfered with the subscription" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure Portal\"\n\t![portal](507-3-1.png)" ], "x_atrm_resources": [ "Azure Subscription" ], "x_mitre_brief": "An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--4120d712-becb-4525-8281-b79d799e8b11", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Microsoft Partners", "description": "Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2", "external_id": "AZT507.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/microsoft-365/commerce/manage-partners?view=o365-worldwide" }, { "source_name": "microsoft", "url": "https://o365blog.com/post/partners/" } ], "x_atrm_detections": [ "## **Detection Details**\n\nBy reviewing access logs in AzureAD, a key indicator is identifying logins from users that do not contain a domain linked to the tenant." ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_examples": [ "* N/A" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_resources": [ "AzureAD" ], "x_mitre_brief": "Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--92feebf8-823d-49cb-807e-3c45bdb3edde", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "User Account Manipulation", "description": "An adverary may manipulate a user account to maintain access in an Azure tenant", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1", "external_id": "AZT501.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal" } ], "x_atrm_actions": [ "microsoft.directory/users/password/update", "microsoft.directory/users/enable", "microsoft.directory/users/restore" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Reset password\t | microsoft.directory/users/password/update\t| AuditLogs |\n| Azure Active Directory | Enable account\t | microsoft.directory/users/enable\t| AuditLogs |\n| Azure Active Directory | Update user\t| microsoft.directory/users/password/update\t| AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AuditLogs | where OperationName =='Reset user password' or OperationName =='Enable account' or OperationName =='Update user'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT501%2FAZT501-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Update-AzADUser`](https://docs.microsoft.com/en-us/powershell/module/az.resources/update-azaduser?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az ad user update`](https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest#az-ad-user-update)\n\t\n=== \"Microsoft Graph API\"\t\n\t[`#!powershell PATCH https://graph.microsoft.com/v1.0/users/{id}`](https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http)\t\t\n\n=== \"Azure Portal\"\n\t![directorylogs](directorylogs.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adverary may manipulate a user account to maintain access in an Azure tenant", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0af2f022-bbf3-4168-9570-4fe884e440ee", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Account Manipulation", "description": "An adverary may manipulate an account to maintain access in an Azure tenant", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501", "external_id": "AZT501" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adverary may manipulate an account to maintain access in an Azure tenant", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--fbfa6881-a615-4863-910e-ee44464ec8e9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "Azure VM Local Administrator Manipulation", "description": "An adverary may manipulate the local admin account on an Azure VM", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3", "external_id": "AZT501.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/reset-rdp" } ], "x_atrm_actions": [ "microsoft.compute/virtualMachines/extensions/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nAfter a successful reset, the log 'Validate Deployment' will be created. Specifically, in the scope, a password reset will be mentioned \"VMAccessWindowsPasswordReset\".\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Udpate Virutal Machine Extension | microsoft.compute/virtualMachines/extensions/write\t| ActivityLog |\n| Resource | Validate Deployment | Microsoft.Resources/deployments/validate/action\t| ActivityLog |\n\n## **Detection Screenshot**\n\n![validate](validate.png)\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where Properties_d has 'vmaccesswindowspasswordreset'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT501%2FAZT501-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Set-AzVMAccessExtension`](https://docs.microsoft.com/en-us/powershell/module/az.compute/set-azvmaccessextension?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az vm extension set`](https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az-vm-extension-set)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/{vmExtensionName}?api-version=2022-03-01`](https://docs.microsoft.com/en-us/rest/api/compute/virtual-machine-extensions/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![localadminreset](localadminreset.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adverary may manipulate the local admin account on an Azure VM", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c145f009-cd7d-407c-81d7-05f46bf6b8a8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:33:04.000Z", "name": "Service Principal Manipulation", "description": "An adverary may manipulate a service principal to maintain access in an Azure tenant", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2", "external_id": "AZT501.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" } ], "x_atrm_actions": [ "microsoft.directory/servicePrincipals/enable", "microsoft.directory/servicePrincipals/credentials/update", "microsoft.directory/servicePrincipals/owners/update" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Update application \u2013 Certificates and secrets management\t | microsoft.directory/servicePrincipals/credentials/update\t| AuditLogs |\n| Azure Active Directory | Update service principal | microsoft.directory/servicePrincipals/credentials/update\t| AuditLogs |\n| Azure Active Directory | Update user\t| microsoft.directory/users/password/update\t| AuditLogs |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationName == 'Update application \u2013 Certificates and secrets management' or OperationName =='Update service principal' or OperationName =='Update user'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT501%2FAZT501-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Update-AzADServicePrincipal`](https://docs.microsoft.com/en-us/powershell/module/az.resources/update-azadserviceprincipal?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az ad sp update`](https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-update)\n\t\n=== \"Microsoft Graph API\"\t\n\t[`#!powershell PATCH https://graph.microsoft.com/v1.0/servicePrincipals/{id}`](https://docs.microsoft.com/en-us/graph/api/serviceprincipal-update?view=graph-rest-1.0&tabs=http)\t\t\n\n=== \"Azure Portal\"\n\t![directorylogs](directorylogs.PNG)" ], "x_atrm_resources": [ "Azure Active Directory" ], "x_mitre_brief": "An adverary may manipulate a service principal to maintain access in an Azure tenant", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f1de0b16-286f-45f2-9e01-558e4e2fa4d9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Network Security Group Modification", "description": "Adversaries can modify the rules in a Network Security Group to establish access over additional ports.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506", "external_id": "AZT506" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group" } ], "x_atrm_actions": [ "Microsoft.Network/networkSecurityGroups/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|--------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create or Update Security Rule\t | Microsoft.Network/networkSecurityGroups/securityRules/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue=='MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT506%2FAZT506.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Set-AzNetworkSecurityRuleConfig`](https://docs.microsoft.com/en-us/powershell/module/az.network/set-aznetworksecurityruleconfig?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az network nsg rule`](https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest)\t\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01`](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/security-rules)\t\n\n=== \"Azure Portal\"\n\t![nsg](nsg.PNG)" ], "x_atrm_resources": [ "Network Security Group" ], "x_mitre_brief": "Adversaries can modify the rules in a Network Security Group to establish access over additional ports.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7ce417b0-82d6-40af-821c-50afd52ab2a1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-08-18T19:04:59.000Z", "modified": "2023-06-12T03:27:03.000Z", "name": "Azure Policy", "description": "By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508", "external_id": "AZT508" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists" } ], "x_atrm_actions": [ "Microsoft.Authorization/policies/deployIfNotExists/action", "", "Microsoft.Authorization/policyAssignments/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | 'deployIfNotExists' Policy Action\t | Microsoft.Authorization/policies/deployIfNotExists/action\t| AzureActivity | \n| Resource | N/A\t | Microsoft.Authorization/policyAssignments/write\t| AzureActivity | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue=='MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/WRITE'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FPersistence%2FAZT508%2FAZT508.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure Portal\"\n\t![portal](508.PNG)" ], "x_atrm_resources": [ "Azure Policy" ], "x_mitre_brief": "By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--18dfc361-e77b-469a-ae83-dff3e0eb57e9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Function App Settings", "description": "If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1", "external_id": "AZT603.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution" } ], "x_atrm_actions": [ "Microsoft.web/sites/functions/read", "Microsoft.Web/sites/read", "Microsoft.Web/sites/config/list/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nNo logs are generated when retrieving the settings of a function app.\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AADServicePrincipalSignInLogs | where ServicePrincipalName == 'NAMEOFFUNCTIONAPP'` |\t\n\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT603%2FAZT603-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\" \n\n\t[`#!powershell Get-AzFunctionAppSetting`](https://docs.microsoft.com/en-us/powershell/module/az.functions/get-azfunctionappsetting?view=azps-8.0.0)\n\t\t\n=== \"Azure CLI\"\n\n\t[`#!python az functionapp config appsettings`](https://docs.microsoft.com/en-us/cli/azure/functionapp/config/appsettings?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/appsettings?api-version=2021-02-01`](https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/update-application-settings)" ], "x_atrm_resources": [ "Function App" ], "x_mitre_brief": "If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b7add753-c3ca-409b-b244-7ccf3dfcdfdb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "Service Principal Secret Reveal", "description": "An Adversary may reveal a service principal's secret in plain text.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603", "external_id": "AZT603" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An Adversary may reveal a service principal's secret in plain text.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--860c42ef-bb44-4de5-9ab4-1d2dde128758", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Azure KeyVault Secret Dump", "description": "By accessing an Azure Key Vault, an adversary may dump any or all secrets.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1", "external_id": "AZT604.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/key-vault/general/logging?WT.mc_id=Portal-fx&tabs=Vault" } ], "x_atrm_actions": [ "Microsoft.KeyVault/vaults/secrets/getSecret/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nBy default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on. \n\n## **Logs**\n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | SecretGet\t | N/A\t| AzureDiagnostics |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where OperationName == 'SecretList'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT604%2FAZT604-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Get-AzKeyVaultSecret`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultsecret?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az keyvault secret`](https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.3`](https://docs.microsoft.com/en-us/rest/api/keyvault/secrets/get-secret/get-secret)\t\n\n=== \"Azure Portal\"\n\n\t![secrets](secrets.PNG)" ], "x_atrm_resources": [ "Azure Key Vault" ], "x_mitre_brief": "By accessing an Azure KeyVault, an adversary may dump any or all secrets.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--6b338d24-50e2-474b-acc3-3ba761b525d8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Azure KeyVault Key Dump", "description": "By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3", "external_id": "AZT604.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/key-vault/general/logging?WT.mc_id=Portal-fx&tabs=Vault" } ], "x_atrm_actions": [ "Microsoft.KeyVault/vaults/keys/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nBy default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on. \n\n## **Logs**\n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | KeyGet\t | N/A\t| AzureDiagnostics |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResourceProvider == 'MICROSOFT.KEYVAULT' and OperationName == 'KeyGet'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT604%2FAZT604-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Get-AzKeyVaultKey`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultkey?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n\n\t[`#!python az keyvault key`](https://docs.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python GET {vaultBaseUrl}/keys/{key-name}/{key-version}?api-version=7.3`](https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-key/get-key)\t\n\n=== \"Azure Portal\"\n\n\t![keys](keys.PNG)" ], "x_atrm_resources": [ "Azure Key Vault" ], "x_mitre_brief": "By accessing an Azure KeyVault, an adversary may dump any or all keys.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--655d8452-5dba-4f9e-bda8-b571432d5382", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Azure KeyVault Dumping", "description": "An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604", "external_id": "AZT604" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--dd77ebc4-d327-4612-8f33-c099eb1e8573", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Azure KeyVault Certificate Dump", "description": "By accessing an Azure Key Vault, an adversary may dump any or all certificates.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2", "external_id": "AZT604.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/key-vault/general/logging?WT.mc_id=Portal-fx&tabs=Vault" } ], "x_atrm_actions": [ "Microsoft.KeyVault/vaults/secrets/getSecret/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nBy default, logging is not enabled on Key Vaults, meaning whenever a secret/key/certificate is accessed, it will not be logged unless Key Vault logging is turned on. \n\n## **Logs**\n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | CertificateList\t | N/A\t| AzureDiagnostics|\n| Resource | SecretGet\t | N/A\t| AzureDiagnostics |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResourceProvider == 'MICROSOFT.KEYVAULT' and OperationName == 'CertificateList' or OperationName == 'SecretGet'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT604%2FAZT604-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Get-AzKeyVaultCertificate`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultcertificate?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az keyvault certificate`](https://docs.microsoft.com/en-us/cli/azure/keyvault/certificate?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python GET {vaultBaseUrl}/certificates/{certificate-name}/{certificate-version}?api-version=7.3`](https://docs.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate/get-certificate)\t\n\n\n=== \"Azure Portal\"\n\n\t![certs](certs.PNG)" ], "x_atrm_resources": [ "Azure Key Vault" ], "x_mitre_brief": "By accessing an Azure KeyVault, an adversary may dump any or all certificates.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--956f07dd-3949-4c79-8e78-42805378ec74", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Storage Account Access Key Dumping", "description": "By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1", "external_id": "AZT605.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" } ], "x_atrm_actions": [ "Microsoft.Storage/storageAccounts/listkeys/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION\t | Microsoft.Storage/storageAccounts/listkeys/action\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION' and ActivityStatusValue == 'Start'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT605%2FAZT605-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Get-AzStorageAccountKey`](https://docs.microsoft.com/en-us/powershell/module/az.storage/get-azstorageaccountkey?view=azps-8.0.0)\n\n=== \"Azure CLI\"\n\n\t[`#!python az storage account keys`](https://docs.microsoft.com/en-us/cli/azure/storage/account/keys?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python https://{myaccount}.blob.core.windows.net/?restype=service&comp=userdelegationkey`](https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key)\t\n\n=== \"Azure Portal\"\n\n\t![storagekeys](StorageKeys.PNG)" ], "x_atrm_resources": [ "Azure Storage Account" ], "x_mitre_brief": "By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--82e5e173-9ed7-404b-a58a-3718c93c5628", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-08-18T19:04:59.000Z", "name": "Resource Secret Reveal", "description": "An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605", "external_id": "AZT605" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--84932e4b-3ef0-490e-becf-36c9c4abd888", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Automation Account Credential Secret Dump", "description": "By editing a Runbook, a credential configured in an Automation Account may be revealed", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2", "external_id": "AZT605.002" }, { "source_name": "microsoft", "url": "https://learn.microsoft.com/en-us/azure/automation/shared-resources/credentials?tabs=azure-powershell#create-a-new-credential-asset-with-the-azure-portal" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity |where OperationNameValue=='Microsoft.Automation/automationAccounts/jobs/write' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/publish/action' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/draft/write' or OperationNameValue=='Microsoft.Automation/automationAccounts/runbooks/write'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT605%2FAZT605-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t* [`#!powershell New-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationrunbook?view=azps-8.0.0)\n\t* [`#!powershell Set-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/set-azautomationrunbook?view=azps-8.0.0)\n\t\t\n=== \"Azure CLI\"\n\n\t[`#!python az automation runbook`](https://docs.microsoft.com/en-us/cli/azure/automation/runbook?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/runbook/create-or-update)\t\n\n=== \"Azure Portal\"\n\n\t![NEWCRED](newcred.png)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "By editing a Runbook, a credential configured in an Automation Account may be revealed", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--215bc946-0066-430c-9a6b-f2e7685a7b65", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-08-18T19:04:59.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Resource Group Deployment History Secret Dump", "description": "By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3", "external_id": "AZT605.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal" } ], "x_atrm_actions": [ "Microsoft.Resources/deployments/read", "Microsoft.Resources/subscriptions/resourceGroups/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nWhen a template is used, the parameters from the template are reflected on the 'Input' page when viewing the deployment detail in the Azure portal. The parameter key value's are shown unless the key 'SecureString' is used. If 'SecureString' is not used, then the value will show in the deployment input details. \n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | N/A\t | N/A\t| AzureActivity |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Get-AzResourceGroupDeployment`](https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azresourcegroupdeployment?view=azps-8.2.0)\n\t\t\n=== \"Azure CLI\"\n\n\t* [`#!python az deployment group list`](https://docs.microsoft.com/en-us/cli/azure/deployment/group?view=azure-cli-latest#az-deployment-group-list)\n\t* [`#!python az deployment group export`](https://docs.microsoft.com/en-us/cli/azure/deployment/group?view=azure-cli-latest#az-deployment-group-export)\n\n=== \"Azure Portal\"\n\n\t![605.3.1](605-3-1.PNG)\n\t![605.3.2](605-3-2.PNG)" ], "x_atrm_resources": [ "Resource Group" ], "x_mitre_brief": "By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--89caf13e-9bf3-483e-8372-36f4da264374", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Automation Account RunAs Account", "description": "If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1", "external_id": "AZT602.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResourceProvider == 'MICROSOFT.AUTOMATION' and ResultDescription has 'Thumbprint'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT602%2FAZT602-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t* [`#!powershell New-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationrunbook?view=azps-8.0.0)\n\t* [`#!powershell Set-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/set-azautomationrunbook?view=azps-8.0.0)\n\t\t\n=== \"Azure CLI\"\n\n\t[`#!python az automation runbook`](https://docs.microsoft.com/en-us/cli/azure/automation/runbook?view=azure-cli-latest)\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/runbook/create-or-update)\t\n\n=== \"Azure Portal\"\n\n\t![runbook](runbook.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--da39f9b2-3fc3-4858-9e64-fa587a26a2bd", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "Steal Service Principal Certificate", "description": "An Adversary may steal a Service Principal's certificate for authentication.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602", "external_id": "AZT602" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An Adversary may steal a Service Principal's certificate for authentication.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--9c0cd0fe-d904-4be3-a01c-a48c84bdb6f9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Azure Kubernetes Service IMDS Request", "description": "By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2", "external_id": "AZT601.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/aks/command-invoke" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/aks/use-managed-identity" } ], "x_atrm_actions": [ "Microsoft.ContainerService/managedClusters/runcommand/action", "Microsoft.ContainerService/managedclusters/commandResults/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nLogs are only generated when running a command through az cli or Az PowerShell. Using `kubectl` will not generate logs.\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | RunCommand\t | Microsoft.ContainerService/managedClusters/runCommand/action\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where log_s has '169.254.169.254'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT601%2FAZT601-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Python\"\n\n\t`#!python curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s`\n\n=== \"PowerShell\"\n\t\n\t[`#!powershell powershell.exe -c $a=Invoke-Restmethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01\"&\"resource=https://management.azure.com/' -Method GET -Headers @{Metadata='true'} -UseBasicParsing;$a.access_token`](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)\n\t\n=== \"Azure Portal\"\n\n\t![aks](aks.PNG)" ], "x_atrm_resources": [ "Azure Kubernetes Service" ], "x_mitre_brief": "By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--9dd00955-ecdd-4e3f-b074-41542605300d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Logic Application JWT PUT Request", "description": "If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3", "external_id": "AZT601.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview" } ], "x_atrm_actions": [ "Microsoft.Logic/workflows/write", "Microsoft.Logic/workflows/run/action", "Microsoft.Logic/operations/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Gets workflow recommend operation groups\t | Microsoft.Logic/locations/workflows/recommendOperationGroups/action\t| AzureActivity |\n| Resource | List Trigger Callback URL | Microsoft.Logic/workflows/triggers/listCallbackUrl/action\t| AzureActivity |\n| Resource | Add or Update Connection\t| Microsoft.Web/connections/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.LOGIC/WORKFLOWS/TRIGGERS/LISTCALLBACKURL/ACTION'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT601%2FAZT601-3.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Set-AzLogicApp`](https://docs.microsoft.com/en-us/powershell/module/az.logicapp/set-azlogicapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az logicapp start`](https://docs.microsoft.com/en-us/cli/azure/logicapp?view=azure-cli-latest#az-logicapp-start)\t\n\n=== \"Azure REST API\"\n\n\t[`#!python PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-06-01`](https://docs.microsoft.com/en-us/rest/api/logic/workflows/create-or-update)\t\n\n=== \"Azure Portal\"\n\n\t![logicapp](logciappimds.PNG)" ], "x_atrm_resources": [ "Logic Application" ], "x_mitre_brief": "If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2022-07-29T18:07:09.000Z", "name": "Steal Managed Identity JsonWebToken", "description": "An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601", "external_id": "AZT601" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--63fb52b3-ed25-41b3-b90a-1eeea7737e9a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:16:53.000Z", "name": "Function Application JWT GET Request", "description": "If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4", "external_id": "AZT601.004" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview" } ], "x_atrm_actions": [ "Microsoft.Web/sites/Write", "Microsoft.web/sites/functions/action", "Microsoft.web/sites/functions/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Azure Active Directory | Update website\t | Microsoft.Web/sites/write\t| AzureAD Audit Logs |\n| Azure Active Directory | Start Web App | Microsoft.Web/sites/start/action\t| AzureAD Audit Logs |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t[`#!powershell Update-AzFunctionApp`](https://docs.microsoft.com/en-us/powershell/module/az.functions/update-azfunctionapp?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\n\t[`#!python az functionapp update`](https://docs.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest#az-functionapp-update)\n\n=== \"Azure Portal\"\n\n\t![functionappmi](functionappmi.png)" ], "x_atrm_resources": [ "Function App" ], "x_mitre_brief": "If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--576338cb-56b7-408c-a727-2ec68286eaad", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2023-06-12T03:08:06.000Z", "name": "Virtual Machine IMDS Request", "description": "By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1", "external_id": "AZT601.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token" } ], "x_atrm_actions": [ "Microsoft.Compute/virtualMachines/write", "Microsoft.Compute/virtualMachines/extensions/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "The detection will be based off of the [Command Execution](../../Execution/AZT301/AZT301.md) technique chosen. If using RDP, then no logs will be generated in Azure. \nSince the command to retrieve the JWT requires local PowerShell execution, script block logging will reveal the request used to gather the token.\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql union Event, Syslog | where EventID == 4104 and RenderedDescription has 'http://169.254.169.254/metadata/identity/oauth2/token' or SyslogMessage has 'http://169.254.169.254/metadata'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT601%2FAZT601-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"PowerShell\"\n\t\n\t[`#!powershell powershell.exe -c $a=Invoke-Restmethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01\"&\"resource=https://management.azure.com/' -Method GET -Headers @{Metadata='true'} -UseBasicParsing;$a.access_token`](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)\n\n=== \"Azure Portal\"\n\n\t![vmimds](vmimds.PNG)" ], "x_atrm_resources": [ "Virtual Machine" ], "x_mitre_brief": "By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3bdb828a-caf8-4617-8e33-fd4d174f650a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T18:07:09.000Z", "modified": "2024-02-04T22:12:32.000Z", "name": "Automation Account Runbook", "description": "If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5", "external_id": "AZT601.005" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution" }, { "source_name": "microsoft", "url": "https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a" } ], "x_atrm_actions": [ "Microsoft.Automation/automationAccounts/runbooks/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Create an Azure Automation job\t | Microsoft.Automation/automationAccounts/jobs/write\t| AzureActivity |\n| Resource | Publish an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/publish/action\t| AzureActivity |\n| Resource | Write an Azure Automation runbook draft\t | Microsoft.Automation/automationAccounts/runbooks/draft/write\t| AzureActivity |\n| Resource | Create or Update an Azure Automation Runbook\t | Microsoft.Automation/automationAccounts/runbooks/write\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where ResourceProvider == 'MICROSOFT.AUTOMATION' and ResultDescription has 'access_token'` |\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FAzureThreatResearchMatrix%2FCredentialAccess%2FAZT601%2FAZT601-5.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzAutomationRunbook`](https://docs.microsoft.com/en-us/powershell/module/az.automation/new-azautomationrunbook?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az automation runbook create`](https://docs.microsoft.com/en-us/cli/azure/automation/runbook?view=azure-cli-latest#az-automation-runbook-create)\n\t\n=== \"Azure REST API\"\t\n\t[`#!powershell PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/automationAccounts/{automationAccountName}/runbooks/{runbookName}?api-version=2019-06-01`](https://docs.microsoft.com/en-us/rest/api/automation/runbook/create-or-update)\t\t\n\n=== \"Azure Portal\"\n\t![runbook](runbook.PNG)" ], "x_atrm_resources": [ "Automation Account" ], "x_mitre_brief": "If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--16066262-455e-4fa5-bb9c-28bca4df3105", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "VM Disk SAS URI", "description": "An adversary may create an SAS URI to download the disk attached to a virtual machine.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1", "external_id": "AZT701.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/marketplace/azure-vm-get-sas-uri" } ], "x_atrm_actions": [ "Microsoft.Compute/disks/beginGetAccess/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Get Disk SAS URI\t | Microsoft.Compute/disks/BeginGetAccess/action\t| AzureActivity |\n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION' and ActivityStatusValue == 'Success'` |\t\n\n## **Azure Monitor Alert**\n(https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExfiltration%2FAZT701%2FAZT701-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t* [`#!powershell New-AzureStorageBlobSASToken`](https://docs.microsoft.com/en-us/powershell/module/azure.storage/new-azurestorageblobsastoken?view=azurermps-6.13.0)\n\t\n\t* [`#!powershell New-AzStorageContainerSASToken`](https://docs.microsoft.com/en-us/powershell/module/az.storage/new-azstoragecontainersastoken?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az storage blob generate-sas`](https://docs.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-generate-sas)\n\n=== \"Azure Portal\"\n\n\t![diskexport](diskexport.PNG)" ], "x_atrm_resources": [ "Virutal Machine Disk" ], "x_mitre_brief": "An adversary may create an SAS URI to download the disk attached to a virtual machine.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d5c5cadd-e0e8-4f42-8b66-49b5af079f2c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Storage Account File Share SAS", "description": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2", "external_id": "AZT701.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview" } ], "x_atrm_actions": [ "Microsoft.Storage/storageAccounts/listAccountSas/action" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | N/A\t | N/A\t| StorageBlobLogs | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql StorageBlobLogs | where AuthorizationDetails has 'generateUserDelegationKey'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExfiltration%2FAZT701%2FAZT701-2.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\n\t* [`#!powershell New-AzureStorageBlobSASToken`](https://docs.microsoft.com/en-us/powershell/module/azure.storage/new-azurestorageblobsastoken?view=azurermps-6.13.0)\n\t\n\t* [`#!powershell New-AzStorageContainerSASToken`](https://docs.microsoft.com/en-us/powershell/module/az.storage/new-azstoragecontainersastoken?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az storage blob generate-sas`](https://docs.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-generate-sas)\n\t\n=== \"Azure Portal\"\n\t![blobsas](blobsas.PNG)" ], "x_atrm_resources": [ "Azure Storage Account" ], "x_mitre_brief": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a941dc49-6970-491b-9ba3-e94934094c79", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "SAS URI Generation", "description": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701", "external_id": "AZT701" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--82654405-9968-4dcc-abfa-41eb3681f042", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Virtual Machine", "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3", "external_id": "AZT704.003" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/powershell/module/az.recoveryservices/undo-azrecoveryservicesbackupitemdeletion?view=azps-8.2.0" } ], "x_atrm_actions": [ "Microsoft.RecoveryServices/Vaults/backupconfig/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Location |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | TBD\t | TBD\t| Log Analytics |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell Undo-AzRecoveryServicesBackupItemDeletion`](https://docs.microsoft.com/en-us/powershell/module/az.recoveryservices/undo-azrecoveryservicesbackupitemdeletion?view=azps-8.2.0)\n\n=== \"Azure REST API\"\n\n\t[`#!powershell Invoke-RESTMethod -body $body -Method PUT -Uri 'https://management.azure.com/Subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testVaultRG/providers/Microsoft.RecoveryServices/vaults/testVault/backupFabrics/Azure/protectionContainers/iaasvmcontainer;iaasvmcontainerv2;testRG;testVM/protectedItems/vm;iaasvmcontainerv2;testRG;testVM?api-version=2019-05-13'`](https://docs.microsoft.com/en-us/powershell/module/az.recoveryservices/undo-azrecoveryservicesbackupitemdeletion?view=azps-8.2.0)\n\t\n\t```#!powershell $Body =\t\t\n\t\t{\n\t\t \"properties\": {\n\t\t\t\"protectedItemType\": \"Microsoft.Compute/virtualMachines\",\n\t\t\t\"protectionState\": \"ProtectionStopped\",\n\t\t\t\"sourceResourceId\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM\",\n\t\t\t\"isRehydrate\": true\n\t\t }\n\t\t}\n\t``` \n=== \"Azure Portal\"\n\t![portal](https://docs.microsoft.com/en-us/azure/backup/media/backup-azure-security-feature-cloud/undelete-vm.png)" ], "x_atrm_resources": [ "Azure Recovery Services Vault" ], "x_mitre_brief": "An adversary may recover a virtual machine found in a 'soft deletion' state.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b564bf40-14c7-4607-b91a-9fe03b6938b2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Storage Blob", "description": "An adversary may recover a storage account object found in a 'soft deletion' state.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2", "external_id": "AZT704.002" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-overview" } ], "x_atrm_actions": [ "Microsoft.Storage/storageAccounts/blobServices/*\\/*" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | RestoreContainer\t | Microsoft.Storage/storageAccounts/blobServices/*\\/*\t| StorageBlobLogs | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql StorageBlobLogs | where OperationName == 'RestoreContainer'` |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure REST API\"\n\n\t* [`Invoke-RESTMethod -Uri https://myaccount.blob.core.windows.net/mycontainer/myblob?comp=undelete -Method PUT`](https://docs.microsoft.com/en-us/rest/api/storageservices/undelete-blob)\n\t\n\t* [`Invoke-RESTMethod -Uri https://myaccount.blob.core.windows.net/destinationcontainer?restype=container&comp=undelete -Method PUT`](https://myaccount.blob.core.windows.net/destinationcontainer?restype=container&comp=undelete)\n\n=== \"Azure Portal\"\n\t![portal](704-2-1.PNG)" ], "x_atrm_resources": [ "Azure Storage Account" ], "x_mitre_brief": "An adversary may recover a storage blob found in a 'soft deletion' state.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--260d8064-bcf3-4bac-9a59-5f77ce2b9a48", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Soft-Delete Recovery", "description": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704", "external_id": "AZT704" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--95039596-fc1d-440f-906e-a71a4e47a602", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Key Vault", "description": "An adversary may recover a key vault object found in a 'soft deletion' state.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1", "external_id": "AZT704.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview" } ], "x_atrm_actions": [ "Microsoft.KeyVault/vaults/\\*/restore", "", "Microsoft.KeyVault/locations/deletedVaults/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | SecretRecover\t | Microsoft.KeyVault/vaults/\\*/restore| AzureDiagnostics | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureDiagnostics | where OperationName == 'SecretRecover' or OperationName == 'KeyRecover' or OperationName == 'CertificateRecover'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExfiltration%2FAZT704%2FAZT704-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t* [`#!powershell Undo-AzKeyVaultRemoval`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/undo-azkeyvaultremoval?view=azps-8.2.0)\n\t\n\t* [`#!powershell Undo-AzKeyVaultSecretRemoval`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/undo-azkeyvaultsecretremoval?view=azps-8.2.0)\n\t\n\t* [`#!powershell Undo-AzKeyVaultKeyRemoval`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/undo-azkeyvaultkeyremoval?view=azps-8.2.0)\n\t\n\t* [`#!powershell Undo-AzKeyVaultCertificateRemoval`](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/undo-azkeyvaultcertificateremoval?view=azps-8.2.0)\n\t\t\t\t\t\n=== \"Azure CLI\"\n\t* [`#!python az keyvault certificate recover`](https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-cli)\n\t\n\t* [`#!python az keyvault key recover`](https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-cli)\n\t\n\t* [`#!python az keyvault secret recover`](https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-cli)\n\t\n\t* [`#!python az keyvault recover`](https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-cli)\n\t\n=== \"Azure Portal\"\n\t![portal](704-1-1.PNG)" ], "x_atrm_resources": [ "Azure Key Vault" ], "x_mitre_brief": "An adversary may recover a key vault object found in a 'soft deletion' state.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a87d582b-e5f2-4880-bbe3-521c922892c8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "Replication", "description": "An adversary may exfiltrate data by replicating it.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703", "external_id": "AZT703" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adversary may exfiltrate data by replicating it.", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5150e731-4d58-4daa-9601-a79ba66beedb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Storage Account Replication", "description": "By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an extrenal tenant's storage account.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1", "external_id": "AZT703.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal" } ], "x_atrm_actions": [ "Microsoft.Storage/storageAccounts/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Detection Details**\n\nA [policy can be created](https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal#create-a-policy-with-an-audit-effect) to alert when replication is set up.\n\n## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Put Object Replication Policy\t | Microsoft.Storage/storageAccounts/objectReplicationPolicies/write\t| AzureActivity | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where OperationNameValue=='Microsoft.Storage/storageAccounts/objectReplicationPolicies/write'` |\t\n\n## **Azure Monitor Alert**\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FAzDetectSuite%2Fmain%2FExfiltration%2FAZT703%2FAZT703-1.json)" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t[`#!powershell New-AzStorageObjectReplicationPolicyRule`](https://docs.microsoft.com/en-us/powershell/module/az.storage/new-azstorageobjectreplicationpolicyrule?view=azps-8.0.0)\n\t\n=== \"Azure CLI\"\n\t[`#!python az storage account or-policy rule add`](https://docs.azure.cn/zh-cn/cli/ext/storage-or-preview/storage/account/or-policy/rule?view=azure-cli-latest#ext-storage-or-preview-az-storage-account-or-policy-rule-add)\n\t\n=== \"Azure Portal\"\n\t![configure-replication-policy](configure-replication-policy.png)" ], "x_atrm_resources": [ "Azure Storage Account" ], "x_mitre_brief": "By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an extrenal tenant's storage account.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--20dcfb35-9aa6-4995-b272-d4334960c6e2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-04T23:05:59.000Z", "modified": "2024-02-04T23:05:59.000Z", "name": "File Share Mounting", "description": "An adversary may attach an Azure resource as a file share.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702", "external_id": "AZT702" } ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_brief": "An adversary may attach an Azure resource as a file share", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d754cd69-458a-4ad7-899c-90479f6223db", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T15:58:57.000Z", "name": "Storage Account File Share NFS/SMB Mount", "description": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1", "external_id": "AZT702.001" }, { "source_name": "microsoft", "url": "https://docs.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal" } ], "x_atrm_actions": [ "Microsoft.Storage/storageAccounts/fileServices/shares/write" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "Connection logs to the share are not generated in Azure." ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Azure Portal\"\n\n\t![smbshare](smbshare.PNG)" ], "x_atrm_resources": [ "Azure Storage Account" ], "x_mitre_brief": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--dfc2b6af-2dc4-4dc9-b3b5-b8df9802c8ba", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2023-09-05T15:58:57.000Z", "modified": "2023-09-05T19:05:13.000Z", "name": "Azure Backup Delete", "description": "An adversary may delete data within the Recovery Service Vault, which houses backup data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_attack_spec_version": "2.1.0", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT705/AZT705", "external_id": "AZT705" } ], "x_atrm_actions": [ "Microsoft.RecoveryServices/Vaults/delete", "", "Microsoft.RecoveryServices/Vaults/read" ], "x_mitre_domains": [ "enterprise-attack" ], "x_atrm_detections": [ "## **Logs** \n\n| Data Source | Operation Name | Action | Log Provider |\n|--------------------|---------------------|-------------------------------------------------------------------|--------------|\n| Resource | Delete\t | Microsoft.RecoveryServices/Vaults/delete| AzureActivity | \n\n## **Queries**\n\n| Platform | Query |\n|----------|-------|\n| Log Analytics | `#!sql AzureActivity | where ResourceProviderValue == \"MICROSOFT.RECOVERYSERVICES\" and OperationNameValue contains \"Delete\" ` |" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "x_atrm_examples": [ "=== \"Az PowerShell\"\n\t* [`#!powershell Remove-AzRecoveryServicesVault`](https://learn.microsoft.com/en-us/powershell/module/az.recoveryservices/remove-azrecoveryservicesvault?view=azps-10.2.0)\n\n\t\t\t\t\t\n=== \"Azure CLI\"\n\t* [`#!python az backup vault delete`](https://learn.microsoft.com/en-us/cli/azure/backup/vault?view=azure-cli-latest#az-backup-vault-delete)\n\t\n\t\n=== \"Azure Portal\"\n\t![portal](AZT705.png)" ], "x_atrm_resources": [ "Recovery Service Vaults" ], "x_mitre_brief": "An adversary may delete data within the Recovery Service Vault, which houses backup data.", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Azure AD" ], "x_mitre_version": "1.0" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6361841d-5e52-418f-a473-7dc3835343a9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.437669Z", "modified": "2024-05-08T13:40:24.437669Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--68b8f6f6-de3d-45c5-a3e9-2b2d7582c56d", "target_ref": "attack-pattern--c30c8a90-4233-4b2e-8958-9babd82c5c44", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--64fd6a40-3a0c-4669-b9e9-3c80c3f09795", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.437766Z", "modified": "2024-05-08T13:40:24.437766Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--17205c36-7049-4adb-95ef-b8fe975cc8a6", "target_ref": "attack-pattern--c30c8a90-4233-4b2e-8958-9babd82c5c44", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--afc13b1f-978b-4a6d-913a-250b78f48a5a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.437837Z", "modified": "2024-05-08T13:40:24.437837Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3f9cb872-3eda-438e-a00f-8c51810c8c09", "target_ref": "attack-pattern--c30c8a90-4233-4b2e-8958-9babd82c5c44", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf91d985-7913-4ca9-86ee-3b04243216be", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.437903Z", "modified": "2024-05-08T13:40:24.437903Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--5b12e0bb-8afb-41ae-905e-4672d5c843d3", "target_ref": "attack-pattern--c30c8a90-4233-4b2e-8958-9babd82c5c44", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82e69bfa-b448-4c7b-b6cb-1be4d3ef2bc8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.437977Z", "modified": "2024-05-08T13:40:24.437977Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3b276a89-8c5e-41a0-ad12-e1267cb80905", "target_ref": "attack-pattern--39df1e22-763b-4eec-8b05-dcc8b063b9a0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c092d64d-604f-4196-b8e3-ae89a7e187a6", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438047Z", "modified": "2024-05-08T13:40:24.438047Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2b01e017-6833-45b4-9e8e-20d1c9d057e9", "target_ref": "attack-pattern--39df1e22-763b-4eec-8b05-dcc8b063b9a0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cef5495e-b55a-4a74-8d14-3b544299208a", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438113Z", "modified": "2024-05-08T13:40:24.438113Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1185f52e-b6e8-4d28-a0bc-b537d444cb02", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d941fa3-d0a0-4a39-8bcf-4b7141e435d7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438177Z", "modified": "2024-05-08T13:40:24.438177Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--22de8bda-0779-43ea-aa80-b13c350b10d4", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5a740440-81b6-4f34-a467-70c563761abe", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.43824Z", "modified": "2024-05-08T13:40:24.43824Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2b66fdb9-8172-4170-9a9e-2f19a2e5e872", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--10a70442-d32b-4e5b-ab4e-a558b7e63222", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438302Z", "modified": "2024-05-08T13:40:24.438302Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--023ef082-9c29-4f35-9272-afd9e8b4b5a7", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8fa945c6-df0a-49a6-b466-366e04a724f1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.43836Z", "modified": "2024-05-08T13:40:24.43836Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1a0cb6f2-1b7b-486a-a1e0-f0d0ef9ded9f", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--efb9d6a3-375b-4adb-a5af-0eb787403aad", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438419Z", "modified": "2024-05-08T13:40:24.438419Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3e326ae2-bfb0-4356-94e9-5a6e5f879499", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd6fa56f-0b83-4e52-b1d7-cf3ce1d88412", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438482Z", "modified": "2024-05-08T13:40:24.438482Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1b97df8e-02d8-46d1-adf6-77f64da597aa", "target_ref": "attack-pattern--a10f9420-bfb2-45a0-88d5-f8bb531e7d86", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2378c0d2-4f85-45c6-99ea-549510d90fc9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.43854Z", "modified": "2024-05-08T13:40:24.43854Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a13033cd-44e7-458e-b224-2c2845989aa3", "target_ref": "attack-pattern--c04cc82a-43f7-42af-8af9-ca68f98c41a6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--49a600be-3355-4c86-b9c8-39040ed33c4b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438598Z", "modified": "2024-05-08T13:40:24.438598Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f0b13df7-5413-407e-a4d5-da818e6076b8", "target_ref": "attack-pattern--c04cc82a-43f7-42af-8af9-ca68f98c41a6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a7f2fa4d-3843-405b-bb32-109df4a11911", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438673Z", "modified": "2024-05-08T13:40:24.438673Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--5516905e-6245-4fd9-a5e7-1895d08abeeb", "target_ref": "attack-pattern--c04cc82a-43f7-42af-8af9-ca68f98c41a6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--639cc3df-40fb-48fa-9888-2ee7ae5254f1", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438733Z", "modified": "2024-05-08T13:40:24.438733Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--66df50e7-0cad-496d-8f41-ff3f8968b13d", "target_ref": "attack-pattern--c04cc82a-43f7-42af-8af9-ca68f98c41a6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--80c08439-a7be-441d-a893-8edcdffeea04", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438791Z", "modified": "2024-05-08T13:40:24.438791Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f54ef0fa-5aeb-4e79-8feb-be322dd70276", "target_ref": "attack-pattern--a35935c7-b634-4850-8d06-975abd071bc9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b6c701ed-d896-42cf-a784-7fe914d86d80", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438854Z", "modified": "2024-05-08T13:40:24.438854Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d769bc8e-7435-4eb4-84c6-28b8ee04d992", "target_ref": "attack-pattern--a35935c7-b634-4850-8d06-975abd071bc9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8be647c3-91de-4458-9af2-6bf4cdad1934", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438917Z", "modified": "2024-05-08T13:40:24.438917Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--8fc6ab58-2df3-416b-80a1-0981de6193d3", "target_ref": "attack-pattern--a35935c7-b634-4850-8d06-975abd071bc9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5c8c9db2-c2e9-4c7a-b908-53d9acd2c80b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.438983Z", "modified": "2024-05-08T13:40:24.438983Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--57bc72ed-f2c3-4cb3-8e65-32b48c4aee4e", "target_ref": "attack-pattern--a35935c7-b634-4850-8d06-975abd071bc9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b46f54be-79ee-472e-bcae-1b430b4490f9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439043Z", "modified": "2024-05-08T13:40:24.439043Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d1eab55d-abe6-4c51-8f40-c1e33d7073ab", "target_ref": "attack-pattern--df563b0f-982f-484b-9815-f6dc5f576c54", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1face7db-c42a-489a-8dd9-4bb792ccfee7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.4391Z", "modified": "2024-05-08T13:40:24.4391Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f0084736-a06d-4abc-9a7d-c4b7ce4deb6b", "target_ref": "attack-pattern--49fef13f-f32b-4921-8954-ea2583d2d1c0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e23d8cb-84c6-4b71-9d40-9d9f78cd5bd3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439157Z", "modified": "2024-05-08T13:40:24.439157Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--15985050-354f-4451-a37f-c65702519236", "target_ref": "attack-pattern--49fef13f-f32b-4921-8954-ea2583d2d1c0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fb8d22f4-25fe-4b94-bf9f-c7ce1cc9348d", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439214Z", "modified": "2024-05-08T13:40:24.439214Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a6b33d81-9171-40e4-b69b-520f9bf2d3f0", "target_ref": "attack-pattern--49fef13f-f32b-4921-8954-ea2583d2d1c0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--85e07c8b-3d7d-4eac-b4ef-508c04a24d7e", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439272Z", "modified": "2024-05-08T13:40:24.439272Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c385f414-7beb-4afd-a98b-6cf06be57952", "target_ref": "attack-pattern--1a8a7025-e0e0-40e7-bffa-8a43800a8c2d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d38eab0a-066a-4b46-a8f4-1673855a408f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439331Z", "modified": "2024-05-08T13:40:24.439331Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--b252a6b8-98b2-4661-86bd-d0195dca0d06", "target_ref": "attack-pattern--1a8a7025-e0e0-40e7-bffa-8a43800a8c2d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9929bc24-df31-4298-8db9-8ca10fc761d7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439388Z", "modified": "2024-05-08T13:40:24.439388Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--7e5a1d29-de9c-4815-a7c6-1dcd85426063", "target_ref": "attack-pattern--1a8a7025-e0e0-40e7-bffa-8a43800a8c2d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dc243c20-7015-49e5-848c-0b3b033bb116", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439446Z", "modified": "2024-05-08T13:40:24.439446Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--b64f3fef-9e49-4ae9-9491-86969c146584", "target_ref": "attack-pattern--1a8a7025-e0e0-40e7-bffa-8a43800a8c2d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54adc5f6-567b-42b2-810e-67d3ea9ba429", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439507Z", "modified": "2024-05-08T13:40:24.439507Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3fa17565-09b3-4e6f-a26e-991585a4ffa4", "target_ref": "attack-pattern--b2973dea-b075-4ba8-9d5a-00bc59f74854", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b4663c8c-eac6-4f2f-89c6-c2cdfdb8e05c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439564Z", "modified": "2024-05-08T13:40:24.439564Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c7beca4f-74b7-48d0-b2a0-f723e0f984ed", "target_ref": "attack-pattern--2e583c50-a05f-4ebf-8d30-b62441eeadb2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--795f40ab-ddf2-4205-8018-36e6d69996d4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.43963Z", "modified": "2024-05-08T13:40:24.43963Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e1af424a-0030-46c5-b276-4ce3febb67fc", "target_ref": "attack-pattern--2e583c50-a05f-4ebf-8d30-b62441eeadb2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89d88c87-4c39-4c68-be04-c0a02c99e098", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.43969Z", "modified": "2024-05-08T13:40:24.43969Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--29fb344c-bfdf-4f2b-bafb-b094622d5195", "target_ref": "attack-pattern--2e583c50-a05f-4ebf-8d30-b62441eeadb2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fcd3e9b2-505c-4cf7-bf45-e2374cef2c40", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439747Z", "modified": "2024-05-08T13:40:24.439747Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fea6dbf6-00da-4251-985c-3cb72df04ac4", "target_ref": "attack-pattern--79c9715a-99c2-4498-a9e4-d91fbe9c1db9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3303abd0-eff0-4054-aef4-db5b528bace8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439831Z", "modified": "2024-05-08T13:40:24.439831Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c093de82-06d4-4c44-adfa-41bd6d17890f", "target_ref": "attack-pattern--79c9715a-99c2-4498-a9e4-d91fbe9c1db9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--565ccf1c-29d0-4ded-9cec-b916072ee06b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.439926Z", "modified": "2024-05-08T13:40:24.439926Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--accdf079-d8e0-4cd2-b30d-4b2423bcbbf2", "target_ref": "attack-pattern--79c9715a-99c2-4498-a9e4-d91fbe9c1db9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cbdecd97-646b-488c-b3c2-725b9fdbc0a4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440006Z", "modified": "2024-05-08T13:40:24.440006Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--4120d712-becb-4525-8281-b79d799e8b11", "target_ref": "attack-pattern--79c9715a-99c2-4498-a9e4-d91fbe9c1db9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1f2009a1-50de-4c10-9126-9d2c192c1fb3", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440073Z", "modified": "2024-05-08T13:40:24.440073Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--92feebf8-823d-49cb-807e-3c45bdb3edde", "target_ref": "attack-pattern--0af2f022-bbf3-4168-9570-4fe884e440ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e2c2ee24-b95b-4fb2-9993-c3f050b4138c", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440133Z", "modified": "2024-05-08T13:40:24.440133Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fbfa6881-a615-4863-910e-ee44464ec8e9", "target_ref": "attack-pattern--0af2f022-bbf3-4168-9570-4fe884e440ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6c88db58-9ecb-4ba1-8fa0-c31a6100e496", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440197Z", "modified": "2024-05-08T13:40:24.440197Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c145f009-cd7d-407c-81d7-05f46bf6b8a8", "target_ref": "attack-pattern--0af2f022-bbf3-4168-9570-4fe884e440ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--153130d5-3fca-4b77-a795-a8f312671187", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440258Z", "modified": "2024-05-08T13:40:24.440258Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--18dfc361-e77b-469a-ae83-dff3e0eb57e9", "target_ref": "attack-pattern--b7add753-c3ca-409b-b244-7ccf3dfcdfdb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--37016b93-44b9-4e77-9b12-98965fc8a4a4", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440322Z", "modified": "2024-05-08T13:40:24.440322Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--860c42ef-bb44-4de5-9ab4-1d2dde128758", "target_ref": "attack-pattern--655d8452-5dba-4f9e-bda8-b571432d5382", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f82ca1d2-ff88-4dd7-a6de-2264ae3c46d9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.44038Z", "modified": "2024-05-08T13:40:24.44038Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--6b338d24-50e2-474b-acc3-3ba761b525d8", "target_ref": "attack-pattern--655d8452-5dba-4f9e-bda8-b571432d5382", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e64df2f6-1181-4934-b06f-bd9a2dd947f7", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440447Z", "modified": "2024-05-08T13:40:24.440447Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--dd77ebc4-d327-4612-8f33-c099eb1e8573", "target_ref": "attack-pattern--655d8452-5dba-4f9e-bda8-b571432d5382", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62f88e6b-e44b-4de1-aa6b-85863d7588a0", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440507Z", "modified": "2024-05-08T13:40:24.440507Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--956f07dd-3949-4c79-8e78-42805378ec74", "target_ref": "attack-pattern--82e5e173-9ed7-404b-a58a-3718c93c5628", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6b210d60-7454-4bbb-b85e-9955cd28d52b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440565Z", "modified": "2024-05-08T13:40:24.440565Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--84932e4b-3ef0-490e-becf-36c9c4abd888", "target_ref": "attack-pattern--82e5e173-9ed7-404b-a58a-3718c93c5628", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3b457cb0-b194-4fb5-9597-a0f8fbe183cc", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.44063Z", "modified": "2024-05-08T13:40:24.44063Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--215bc946-0066-430c-9a6b-f2e7685a7b65", "target_ref": "attack-pattern--82e5e173-9ed7-404b-a58a-3718c93c5628", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e999b13-5ce5-42f8-8426-4168b0263a41", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440688Z", "modified": "2024-05-08T13:40:24.440688Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--89caf13e-9bf3-483e-8372-36f4da264374", "target_ref": "attack-pattern--da39f9b2-3fc3-4858-9e64-fa587a26a2bd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf68a74d-8bcb-4363-b972-af993f40c117", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440747Z", "modified": "2024-05-08T13:40:24.440747Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9c0cd0fe-d904-4be3-a01c-a48c84bdb6f9", "target_ref": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e5ccf941-594e-45cb-806b-8bbcb6077327", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440803Z", "modified": "2024-05-08T13:40:24.440803Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9dd00955-ecdd-4e3f-b074-41542605300d", "target_ref": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dbdc3012-5b20-40e4-b396-8d8d4596e0cb", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.44086Z", "modified": "2024-05-08T13:40:24.44086Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--63fb52b3-ed25-41b3-b90a-1eeea7737e9a", "target_ref": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--21f82448-d52f-45df-9b15-e88401aa0c8f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440921Z", "modified": "2024-05-08T13:40:24.440921Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--576338cb-56b7-408c-a727-2ec68286eaad", "target_ref": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ad61899f-b495-4599-83e7-3f7e3887171b", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.440978Z", "modified": "2024-05-08T13:40:24.440978Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3bdb828a-caf8-4617-8e33-fd4d174f650a", "target_ref": "attack-pattern--3dca07b0-c955-407e-8e77-a1d17a47f182", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eb2ee356-ecec-4b8a-bc80-c19ee951275f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441035Z", "modified": "2024-05-08T13:40:24.441035Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--16066262-455e-4fa5-bb9c-28bca4df3105", "target_ref": "attack-pattern--a941dc49-6970-491b-9ba3-e94934094c79", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e3eeb92a-1ef4-4ecc-9069-2c6cf643a0e8", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441097Z", "modified": "2024-05-08T13:40:24.441097Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d5c5cadd-e0e8-4f42-8b66-49b5af079f2c", "target_ref": "attack-pattern--a941dc49-6970-491b-9ba3-e94934094c79", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4aeb872d-4516-4138-af95-9024221f5de2", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441545Z", "modified": "2024-05-08T13:40:24.441545Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--82654405-9968-4dcc-abfa-41eb3681f042", "target_ref": "attack-pattern--260d8064-bcf3-4bac-9a59-5f77ce2b9a48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb683d6f-3ce5-4ca5-9eef-399ee019b250", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441623Z", "modified": "2024-05-08T13:40:24.441623Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--b564bf40-14c7-4607-b91a-9fe03b6938b2", "target_ref": "attack-pattern--260d8064-bcf3-4bac-9a59-5f77ce2b9a48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d4557fd-663d-4b18-bd7f-2f04d4592e63", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441687Z", "modified": "2024-05-08T13:40:24.441687Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--95039596-fc1d-440f-906e-a71a4e47a602", "target_ref": "attack-pattern--260d8064-bcf3-4bac-9a59-5f77ce2b9a48", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eb5008e9-d926-4aa0-bbd5-0d24d1badba9", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441746Z", "modified": "2024-05-08T13:40:24.441746Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--5150e731-4d58-4daa-9601-a79ba66beedb", "target_ref": "attack-pattern--a87d582b-e5f2-4880-bbe3-521c922892c8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2fe4b893-c147-40bd-944f-ec4b1a6660af", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-05-08T13:40:24.441805Z", "modified": "2024-05-08T13:40:24.441805Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d754cd69-458a-4ad7-899c-90479f6223db", "target_ref": "attack-pattern--20dcfb35-9aa6-4995-b272-d4334960c6e2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1", "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "x-mitre-matrix", "spec_version": "2.1", "id": "x-mitre-matrix--095911b6-fbdf-4da7-9ee4-2a27aee8c88f", "created_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2022-07-29T17:49:20.000Z", "modified": "2024-05-08T16:40:24.453Z", "name": "Azure Threat Research Matrix", "external_references": [ { "source_name": "mitre-attack", "url": "https://microsoft.github.io/Azure-Threat-Research-Matrix/", "external_id": "atrm" } ], "description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.", "x_mitre_attack_spec_version": "2.1.0", "tactic_refs": [ "x-mitre-tactic--467446fb-ffef-4171-a753-672f71b90bf1", "x-mitre-tactic--f7b60851-228c-4eb9-b8ec-dbc78ca17b00", "x-mitre-tactic--cd6f8a9e-610b-4dbd-a043-b362ad9e838d", "x-mitre-tactic--cddfc9a2-bc7d-496c-9a45-2d8a7c5931ef", "x-mitre-tactic--f22aa093-be62-4f85-9400-51ebbacb0465", "x-mitre-tactic--67fe57e8-d611-428d-809f-3bb6cc658b27", "x-mitre-tactic--1186c3fa-50bd-4ecf-985f-e1d4ec838597" ], "x_mitre_version": "0.1", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_modified_by_ref": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e" }, { "type": "identity", "spec_version": "2.1", "id": "identity--5dcf0a7a-875b-470b-8a01-7c6a84c5e68e", "created": "2024-02-05T14:00:00.188Z", "modified": "2024-02-05T14:00:00.188Z", "name": "aw350m33d (Security Experts Community)", "identity_class": "organization", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "0.1" } ] }