Credential Access#
The adversary is trying to steal account usernames, passwords, or access tokens. Credential access in Azure consists of stealing methods of authentication which includes passwords and tokens. Stealing these credentials can give adversaries a potential avenue of privilege escalation or persistence.
ID | Name | Description | |
---|---|---|---|
AZT601 | Steal Managed Identity JsonWebToken | An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account. | |
.001 | Virtual Machine IMDS Request | By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system. | |
.002 | Azure Kubernetes Service IMDS Request | By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system. | |
.003 | Logic Application JWT PUT Request | If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT. | |
.004 | Function Application JWT GET Request | If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT. | |
.005 | Automation Account Runbook | If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT. | |
AZT602 | Steal Service Principal Certificate | An Adversary may steal a Service Principal's certificate for authentication. | |
.001 | Automation Account RunAs Account | If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication. | |
AZT603 | Service Principal Secret Reveal | An Adversary may reveal a service principal's secret in plain text. | |
.001 | Function App Settings | If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text. | |
AZT604 | Azure KeyVault Dumping | An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys. | |
.001 | Azure KeyVault Secret Dump | By accessing an Azure KeyVault, an adversary may dump any or all secrets. | |
.002 | Azure KeyVault Certificate Dump | By accessing an Azure KeyVault, an adversary may dump any or all certificates. | |
.003 | Azure KeyVault Key Dump | By accessing an Azure KeyVault, an adversary may dump any or all keys. | |
AZT605 | Resource Secret Reveal | ||
.001 | Storage Account Access Key Dumping | By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account. | |
.002 | Automation Account Credential Secret Dump | By editing a Runbook, a credential configured in an Automation Account may be revealed | |
.003 | Resource Group Deployment History Secret Dump | By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed. |