Persistence#
The adversary is trying to persist in the Azure tenant or subscription. Persistence consists of techniques that adversaries use to modify existing resources, or modify and manipulate accounts in order to access Azure Active Directory.
| ID | Name | Description | |
|---|---|---|---|
| AZT501 | Account Manipulation | An adverary may manipulate an account to maintain access in an Azure tenant | |
| AZT501.1 | User Account Manipulation | An adverary may manipulate a user account to maintain access in an Azure tenant | |
| AZT501.2 | Service Principal Manipulation | An adverary may manipulate a service principal to maintain access in an Azure tenant | |
| AZT501.3 | Azure VM Local Administrator Manipulation | An adverary may manipulate the local admin account on an Azure VM | |
| AZT502 | Account Creation | An adversary may create an account in Azure Active Directory. | |
| AZT502.1 | User Account Creation | An adversary may create a user account in Azure Active Directory. | |
| AZT502.2 | Service Principal Creation | An adversary may create an application & service principal in Azure Active Directory | |
| AZT502.3 | Guest Account Creation | An adversary may create a guest account in Azure Active Directory | |
| AZT503 | HTTP Trigger | Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication. | |
| AZT503.1 | Logic Application HTTP Trigger | Adversaries may configure a Logic Application with an HTTP trigger to run commands without needing authentication. | |
| AZT503.2 | Function App HTTP Trigger | Adversaries may configure a Function App with an HTTP trigger to run commands without needing authentication. | |
| AZT503.3 | Runbook Webhook | Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant. | |
| AZT503.4 | WebJob | Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule | |
| AZT504 | Watcher Tasks | By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event. | |
| AZT505 | Scheduled Jobs | By configurating an Azure resource that supports scheduled execution, an adversary can execute an operation at a defined interval. | |
| AZT505.1 | Runbook Schedules | Adversaries may create a schedule for a Runbook to run at a defined interval. | |
| AZT506 | Network Security Group Modification | Adversaries can modify the rules in a Network Security Group to establish access over additional ports. | |
| AZT507 | External Entity Access | Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users. | |
| AZT507.1 | Azure Lighthouse | Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant. | |
| AZT507.2 | Microsoft Partners | Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant. | |
| AZT507.3 | Subscription Hijack | An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. | |
| AZT507.4 | Domain Trust Modification | An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant. | |
| AZT508 | Azure Policy | By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered. | |
| AZT509 | Azure Bastion | Azure Bastion can be abused to allow persistent network access to a virtual machine over public internet. |